ExploitCVE-2024-36401
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)
Summary
GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2 contain a critical vulnerability allowing Remote Code Execution (RCE) by unauthenticated users. The vulnerability stems from the GeoTools library API unsafely evaluating property names as XPath expressions in multiple OGC request parameters. This affects ALL GeoServer instances, as it incorrectly applies XPath evaluation intended for complex feature types to simple feature types as well. The vulnerability is exploitable through various requests including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute.
Impact
The impact of this vulnerability is severe. It can lead to executing arbitrary code on affected GeoServer instances, potentially compromising the confidentiality, integrity, and availability of the system. This vulnerability requires no user interaction, can be exploited over the network, and does not require any privileges, making it a critical threat to all unpatched GeoServer installations. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability. Multiple proof-of-concept exploits are available, and the vulnerability is actively being exploited in the wild, having been added to the CISA Known Exploited Vulnerability list.
Exploitation
Multiple proof-of-concept exploits are available on github.com, github.com, github.com, github.com. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including cisa.gov. Malware such as EAGLEDOOR (source:SOC Prime Blog), Cobalt Strike (source:Malware Archives • Cybersecurity News), GOREVERSE (source:IT Security News), JenX (source:APT Archives), SideWalk (Windows) (source:Vumetric) are known to have weaponized this vulnerability. Threat actors including Earth Baxia (source:Trend Micro Research, News, Perspectives), APT41 (source:APT Archives) have reportedly exploited this vulnerability.
Patch
Patches are available in GeoServer versions 2.23.6, 2.24.4, and 2.25.2. Users should update to these versions or later to mitigate the vulnerability. Given the critical nature of this vulnerability, updating should be treated as a high-priority task for all affected GeoServer installations.
Mitigation
For immediate mitigation, a workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer installation, where `x.y` is the GeoServer version (e.g., `gt-complex-31.1.jar` for GeoServer 2.25.1). However, this may break some GeoServer functionality or prevent deployment if the gt-complex module is needed. Therefore, the best course of action is to update to the patched versions (2.23.6, 2.24.4, or 2.25.2 or later) as soon as possible. Given the critical nature of this vulnerability, with its high CVSS score and potential for remote code execution without authentication, patching should be prioritized as a matter of urgency for all affected GeoServer installations.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-36401. See article
Feedly estimated the CVSS score as HIGH
Detection for the vulnerability has been added to Qualys (5000296)
NVD published the first details for CVE-2024-36401
EPSS Score was set to: 0.05% (Percentile: 15.7%)
The vulnerability CVE-2024-36401 in GeoServer allows unauthenticated users to execute Remote Code Execution (RCE) through specially crafted input, impacting versions prior to 2.25.1, 2.24.3, and 2.23.5. This critical vulnerability has the potential for exploitation in the wild, with proof-of-concept exploits available. It is advised to update to secure versions and implement mitigations to prevent unauthorized code execution and potential downstream impacts on third-party vendors utilizing GeoServer. See article
Attacks in the wild have been reported by CISA Known Exploited Vulnerability.
Attacks in the wild have been reported by CISA - Known exploited vulnerabilities catalog. See article