Written by: Ferdi Gül

Welcome! We’ve come together for the last Focus Friday blog post of 2024. As we close out 2024, I wish everyone a safe, happy, and healthy new year. At the same time, we’ve completed another significant year in cybersecurity. This year, we witnessed important developments in the cybersecurity world and encountered many critical vulnerabilities. Throughout the year, we have explored numerous high-profile vulnerabilities to help organizations manage third-party risks. Today, in this final post of 2024, we will focus on critical security flaws in widely used services like Gogs Server, CrushFTP, and Apache Tomcat. In this post, we will explore what these vulnerabilities mean for Third-Party Risk Management (TPRM) professionals and how Black Kite’s FocusTags™ can provide a more effective approach to managing these risks.

Filtered view of companies with Apache Tomcat RCE FocusTag™ on the Black Kite platform.

Apache Tomcat Remote Code Execution Vulnerabilities (CVE-2024-50379, CVE-2024-56337)

What are the Apache Tomcat Remote Code Execution (RCE) Vulnerabilities?

Apache Tomcat has been identified with two critical RCE vulnerabilities: CVE-2024-50379 and CVE-2024-56337. These vulnerabilities arise from Time-of-Check to Time-of-Use (TOCTOU) race conditions, allowing attackers to execute unauthorized code on affected systems.

CVE-2024-50379 occurs during JavaServer Pages (JSP) compilation in Apache Tomcat, enabling RCE on case-insensitive file systems when the default servlet is configured with write functionality (non-default configuration). Similarly, CVE-2024-56337 results from the incomplete mitigation of CVE-2024-50379, affecting systems under the same configuration but requiring additional configuration depending on the Java version. Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.

These vulnerabilities were first reported on December 17, 2024. While proof-of-concept (PoC) exploit code is available, no evidence of active exploitation has been reported. They have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no advisory has been published by CISA.

Why should TPRM professionals care about these vulnerabilities?

Apache Tomcat is widely used to deploy Java-based web applications, making these vulnerabilities highly impactful. The risks associated with these vulnerabilities include:

  • Unauthorized Access: Attackers exploiting these vulnerabilities could gain unauthorized access to systems and sensitive data.
  • Service Disruption: Successful exploitation could lead to service disruption and potential data loss.
  • Reputation Damage: Compromises may damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals can ask the following questions:

  1. Have you updated all instances of Apache Tomcat to versions 11.0.2, 10.1.34, or 9.0.98 or later to mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
  2. Can you confirm that the default servlet’s write functionality has been disabled on your Apache Tomcat servers to prevent the occurrence of the TOCTOU race condition associated with CVE-2024-50379 and CVE-2024-56337?
  3. Depending on your Java version, have you adjusted the sun.io.useCanonCaches system property as recommended to fully mitigate the risk of CVE-2024-50379 and CVE-2024-56337?
  4. Are you regularly reviewing your system logs and network activity to detect any signs of exploitation attempts related to these Apache Tomcat vulnerabilities?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate these vulnerabilities:

  • Upgrade Apache Tomcat: Update to the latest secure versions:
    • Apache Tomcat 11.0.2 or later
    • Apache Tomcat 10.1.34 or later
    • Apache Tomcat 9.0.98 or later
  • Configure Java System Properties: Depending on the Java version in use:
    • For Java 8 or Java 11: Explicitly set the sun.io.useCanonCaches system property to false.
    • For Java 17: Ensure sun.io.useCanonCaches is set to false.
    • For Java 21 and later: No additional configuration is required as the property and related cache have been removed.
  • Restrict Write Access: Ensure that the default servlet’s write functionality is disabled unless absolutely necessary.
  • Regular Monitoring: Continuously review system logs and network activity for signs of exploitation attempts.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “Apache Tomcat RCE” which provides the following benefits:

  • Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
  • Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
  • Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.

This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.

Black Kite’s Apache Tomcat RCE FocusTagTM details critical insights on the event for TPRM professionals.

CrushFTP Account Takeover Vulnerability (CVE-2024-53552)

What is the CrushFTP Account Takeover Vulnerability?

CrushFTP, a widely used file transfer server, has disclosed a critical vulnerability identified as CVE-2024-53552. This flaw affects versions prior to 10.8.3 in the 10.x series and prior to 11.2.3 in the 11.x series. The vulnerability arises from improper handling of password reset functionalities, enabling attackers to craft malicious password reset links. If a user clicks on such a link, their account can be compromised, granting unauthorized access to sensitive data and system controls. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. This issue was first reported on November 11, 2024. While PoC exploit code is not available, there is no evidence of active exploitation in the wild. The vulnerability has not been added to the CISA’s KEV catalog, and no advisory has been published by CISA. 

Why should TPRM professionals care about this vulnerability?

CrushFTP is widely used for secure file transfers in enterprise environments. This vulnerability poses significant risks, including:

  • Unauthorized Access: Exploitation can lead to unauthorized access to sensitive data and systems.
  • Service Disruption: Successful attacks can disrupt services, leading to downtime and potential data loss.
  • Reputation Damage: Compromises can damage an organization’s reputation and erode customer trust.

What questions should TPRM professionals ask vendors about this vulnerability?

To assess the risk posed by this vulnerability, consider asking vendors the following questions:

  1. Can you confirm if you have updated all instances of CrushFTP to version 10.8.3 or 11.2.3 to mitigate the risk of CVE-2024-53552?
  2. Have you configured the Allowed Domains for Password Resets as recommended in the advisory to prevent unauthorized access through manipulated password reset links?
  3. Can you confirm if you have taken measures to educate users about the legitimacy of password reset emails and the risks associated with clicking on malicious links?
  4. Have you implemented any additional security measures to monitor and detect unusual activity that could indicate attempted exploitation of the CVE-2024-53552 vulnerability?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate this vulnerability:

  • Upgrade CrushFTP: Update to the latest secure versions:
    • CrushFTP 10.8.3 or later
    • CrushFTP 11.2.3 or later
  • Configure Allowed Domains for Password Resets:
    • For version 10.x: Navigate to Preferences > WebInterface > MiniURL, and specify a comma-separated list of allowed domains.
    • For version 11.x: Go to Preferences > WebInterface > Login Page, and set a domain pattern that is not a wildcard (‘*’), as wildcards are no longer permitted.
  • User Awareness: Inform users to be cautious with password reset emails and to verify the legitimacy of such requests before clicking on any links.
  • Regular Monitoring: Regularly review system logs for any unusual activity that could indicate attempted exploitation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite offers a FocusTag titled “CrushFTP Account Takeover,” which provides:

  • Vendor Exposure Assessment: Identifies vendors potentially impacted by this vulnerability.
  • Asset Information: Supplies details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
  • Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to this vulnerability.
Black Kite’s CrushFTP FocusTagTM details critical insights on the event for TPRM professionals.

Gogs Server Path Traversal Vulnerabilities (CVE-2024-55947, CVE-2024-54148)

What Are the Gogs Server Path Traversal Vulnerabilities?

Gogs, an open-source self-hosted Git service, has been identified with two critical path traversal vulnerabilities. CVE-2024-55947 is a vulnerability in the file update API of Gogs that allows authenticated users to write files to arbitrary paths on the server. Exploiting this flaw could enable an attacker to gain unauthorized SSH access, compromising the integrity of the server. Similarly, CVE-2024-54148 affects the file editing UI of Gogs, where authenticated users can commit and edit crafted symbolic link (symlink) files within a repository. This manipulation can lead to unauthorized SSH access to the server, posing significant security risks. Both vulnerabilities have a CVSS score of 8.7, indicating high severity, with an EPSS score of 0.05%, suggesting a low likelihood of exploitation. These vulnerabilities were first reported on December 23, 2024. While PoC exploit code is publicly available, there is no evidence of active exploitation in the wild, and the vulnerabilities have not yet been added to the CISA’s KEV catalog. No advisory has been published by CISA at this time.

Why should TPRM professionals care about these vulnerabilities?

Gogs is widely used for managing Git repositories, making it a critical component in many enterprise environments. These vulnerabilities can expose organizations to significant risks. Exploiting these flaws allows attackers to gain unauthorized SSH access to servers, which can lead to unauthorized access to sensitive data, server compromises, or even the manipulation of critical code repositories. Such breaches could lead to service disruption, data loss, and severe reputational damage. Given the high severity of these vulnerabilities and their potential impact on systems that rely on Gogs for version control and collaboration, TPRM professionals should prioritize assessing the exposure of their vendors.

What questions should TPRM professionals ask vendors about these vulnerabilities?

To assess the risk posed by these vulnerabilities, TPRM professionals should ask the following questions:

  1. Have you upgraded all instances of Gogs to version 0.13.1 or later to mitigate the risk of CVE-2024-55947 and CVE-2024-54148?
  2. Can you confirm if you have inspected your existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts of CVE-2024-54148?
  3. Have you restricted repository access to trusted users until the upgrade to Gogs version 0.13.1 or later was completed to mitigate potential exploitation of CVE-2024-55947?
  4. Have you implemented regular inspections of server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts related to CVE-2024-54148 and CVE-2024-55947?

Remediation recommendations for vendors subject to this risk

Vendors should take the following actions to mitigate the risks posed by these vulnerabilities:

  • Upgrade Gogs: Immediately update to version 0.13.1 or later, where these vulnerabilities have been addressed.
  • Restrict User Access: Until the upgrade is completed, limit repository access to trusted users only to mitigate potential exploitation.
  • Review Repository Contents: Examine existing repositories for any suspicious symlink files or unauthorized modifications that could indicate exploitation attempts.
  • Monitor Server Logs: Regularly inspect server logs for unusual activities, particularly those related to file editing and commits, to detect potential intrusion attempts.
  • Implement Security Best Practices: Ensure that your Gogs instance follows security best practices, including proper configuration and regular updates, to prevent similar vulnerabilities in the future.

How TPRM professionals can leverage Black Kite for these vulnerabilities

Black Kite offers a FocusTag titled “Gogs Server,” which provides the following benefits:

  • Vendor Exposure Assessment: Identifies vendors potentially impacted by these vulnerabilities.
  • Asset Information: Provides details on assets (IP addresses and subdomains) that may be at risk, enabling targeted remediation efforts.
  • Timely Updates: Ensures that TPRM professionals are informed about the latest developments and mitigations related to these vulnerabilities.
Black Kite’s Gogs Server FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:

  • Real-Time Risk Identification: Instantly pinpoint vendors impacted by the latest vulnerabilities, enabling rapid responses that mitigate potential threats.
  • Strategic Risk Prioritization: Evaluate risks based on the criticality of vendors and the severity of vulnerabilities, ensuring focused efforts where they matter most.
  • Informed Vendor Conversations: Provide the intelligence necessary to engage vendors in detailed discussions about their exposure and response strategies, fostering transparency and collaboration.
  • Strengthened Cybersecurity Ecosystems: Deliver a comprehensive view of the evolving threat landscape, empowering organizations to build resilient and adaptive security frameworks.

By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
  • CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
  • Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
  • BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).
  • Ivanti Cloud Services Application: CVE-2024-11639, CVE-2024-11772, CVE-2024-11772, Authentication Bypass Vulnerability Command Injection Vulnerability, and  RCE Vulnerability  SQLi Vulnerability in Ivanti Cloud Services Application.
  • Cleo File Transfer: CVE-2024-50623, CVE-2024-55956, Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
  • Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
  • SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
  • PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
  • PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
  • Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

https://securityonline.info/cve-2024-56337-apache-tomcat-patches-critical-rce-vulnerability

https://securityonline.info/rce-and-dos-vulnerabilities-addressed-in-apache-tomcat-cve-2024-50379-and-cve-2024-54677

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

https://github.com/Alchemist3dot14/CVE-2024-50379

https://nvd.nist.gov/vuln/detail/CVE-2024-53552

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

https://securityonline.info/cve-2024-53552-cvss-9-8-crushftp-flaw-exposes-users-to-account-takeover

https://nvd.nist.gov/vuln/detail/CVE-2024-55947

https://nvd.nist.gov/vuln/detail/CVE-2024-54148

https://github.com/gogs/gogs/releases