CVE-2024-52010

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Nov 12, 2024 / Updated: 7d ago

010
CVSS 8.6EPSS 0.05%High
CVE info copied to clipboard

Summary

A command injection vulnerability exists in the Web SSH feature of Zoraxy, a general purpose HTTP reverse proxy and forwarding tool. This vulnerability allows an authenticated attacker to execute arbitrary commands as root on the host system. The issue is present in the HandleCreateProxySession function, which handles requests to create SSH sessions. The vulnerability stems from inadequate validation or sanitization of the username variable, allowing an attacker to escape from the bash command and inject arbitrary commands into sshCommand.

Impact

The impact of this vulnerability is severe. An attacker who successfully exploits this flaw can execute arbitrary commands with root privileges on the affected system. This level of access allows the attacker to completely compromise the system, potentially leading to: 1. Data theft or manipulation 2. Installation of malware or backdoors 3. Use of the compromised system as a pivot point for further network intrusion 4. Disruption of services 5. Complete system takeover The vulnerability has a CVSS v4 base score of 8.6 (High severity), indicating a significant risk to the affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability data does not provide specific information about available patches. However, a patch was added on 2024-11-12, as indicated by the patchDetails in the vulnerability data. Security teams should immediately check for updates from Zoraxy and apply any available patches as soon as possible.

Mitigation

While waiting for a patch, the following mitigation steps are recommended: 1. Restrict access to the Web SSH feature to only essential users. 2. Implement strong authentication mechanisms and regularly rotate credentials. 3. Use network segmentation to isolate systems running Zoraxy. 4. Monitor and log all access to Zoraxy, especially the Web SSH feature, for suspicious activities. 5. Consider disabling the Web SSH feature if it's not critical for operations. 6. Implement input validation and sanitization at the application level if possible. 7. Use intrusion detection/prevention systems (IDS/IPS) to monitor for potential exploitation attempts. 8. Regularly audit and review the security configurations of systems running Zoraxy. Given the high severity of this vulnerability, it should be prioritized for immediate attention and remediation efforts.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 12, 2024 at 12:59 PM
CVE Assignment

NVD published the first details for CVE-2024-52010

Nov 12, 2024 at 5:15 PM
CVSS

A CVSS base score of 8.6 has been assigned.

Nov 12, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52010. See article

Nov 12, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.6%)

Nov 13, 2024 at 5:06 PM
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

Vendor Advisory

[GHSA-7hpf-g48v-hw3j] Zoraxy has an authenticated command injection in the Web SSH feature
Additionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host. Enter hostname / IP of any server with SSH running, e.g. github.com

News

CVE-2024-52010
A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand.
[GHSA-7hpf-g48v-hw3j] Zoraxy has an authenticated command injection in the Web SSH feature
Additionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host. Enter hostname / IP of any server with SSH running, e.g. github.com
CVE-2024-52010 - Zoraxy Web SSH Command Injection
CVE ID : CVE-2024-52010 Published : Nov. 12, 2024, 5:15 p.m. 50 minutes ago Description : Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled.
CVE-2024-52010
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or...
CVE-2024-52010
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.
See 3 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI