DIVD-2024-00026 - Unauthenticated RCE in Rejetto HTTP File Server

Our reference DIVD-2024-00026
Case lead Stan Plasmeijer
Author Boaz Braaksma
Researcher(s)
CVE(s)
Products
  • Rejetto HTTP File Server
Versions
  • versions 2.3x up to, and including version 2.4 RC07
Recommendation Rejetto HTTP File Server 2.3x is now obsolete and no longer supported. Update to HFS 3.
Patch status None
Workaround None
Status Open
Last modified 26 Jun 2024 15:34

Summary

The Rejetto HTTP File Server (HFS) version 2.3x up to, and including version 2.4 RC07, suffer from a server-side template injection (SSTI) vulnerability that does not require authentication. This vulnerability affects both the Windows and Wine versions. This flaw allows a remote attacker, without needing to authenticate, to execute arbitrary code with the same privileges as the HFS.exe server process. This vulnerability is present in version 2.3x up to, and including version 2.4 RC07. As version 2.x of HFS is no longer supported, users are advised to migrate to the supported version 3.x to ensure security.

Recommendations

The Rejetto HTTP File Server (HFS) version 2.3x is no longer supported by the maintainers and no patch is available. Users are recommended to upgrade to version 3.x.

What we are doing

DIVD is currently working to identify parties that are running a version of Rejetto HTTP File Servers (HFS) that contain this vulnerability and notify these parties. We do this by finding vulnerable Rejetto HFS that are connected to the Internet and verifying the version installed.

Timeline

Date Description
10 Jun 2024 DIVD starts researching the vulnerability.
10 Jun 2024 DIVD finds fingerprint, preparing to scan.
10 Jun 2024 Case opened, first version of this casefile
10 Jun 2024 DIVD starts scanning the internet for vulnerable instances.
11 Jun 2024 DIVD starts notifying network owners with a vulnerable instance in their network
24 Jun 2024 DIVD rescans the internet for vulnerable instances
26 Jun 2024 DIVD starts notifying network owners with a vulnerable instance for the second time
gantt title DIVD-2024-00026 - Unauthenticated RCE in Rejetto HTTP File Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00026 - Unauthenticated RCE in Rejetto HTTP File Server (still open) :2024-06-10, 2024-07-10 section Events DIVD starts researching the vulnerability. : milestone, 2024-06-10, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-06-10, 0d Case opened, first version of this casefile : milestone, 2024-06-10, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-06-10, 0d DIVD starts notifying network owners with a vulnerable instance in their network : milestone, 2024-06-11, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-06-24, 0d DIVD starts notifying network owners with a vulnerable instance for the second time : milestone, 2024-06-26, 0d

More information