DIVD-2024-00026 - Unauthenticated RCE in Rejetto HTTP File Server
Our reference | DIVD-2024-00026 |
Case lead | Stan Plasmeijer |
Author | Boaz Braaksma |
Researcher(s) |
|
CVE(s) | |
Products |
|
Versions |
|
Recommendation | Rejetto HTTP File Server 2.3x is now obsolete and no longer supported. Update to HFS 3. |
Patch status | None |
Workaround | None |
Status | Closed |
Last modified | 07 Aug 2024 13:48 CEST |
Summary
The Rejetto HTTP File Server (HFS) version 2.3x up to, and including version 2.4 RC07, suffers from a server-side template injection (SSTI) vulnerability that does not require authentication. This vulnerability affects both the Windows and Wine versions. This flaw allows a remote attacker, without needing to authenticate, to execute arbitrary code with the same privileges as the HFS.exe server process. This vulnerability is present in version 2.3x up to and including version 2.4 RC07. As version 2.x of HFS is no longer supported, users are advised to migrate to the supported version 3.x to ensure security.
Recommendations
The Rejetto HTTP File Server (HFS) version 2.3x is no longer supported by the maintainers and no patch is available. Users are recommended to upgrade to version 3.x.
What we are doing
DIVD is currently working to identify parties that are running a version of Rejetto HTTP File Servers (HFS) that contain this vulnerability and notify these parties. We do this by finding vulnerable Rejetto HFS that are connected to the Internet and verifying the version installed.
Timeline
Date | Description |
---|---|
10 Jun 2024 | DIVD starts researching the vulnerability. |
10 Jun 2024 | DIVD finds fingerprint, preparing to scan. |
10 Jun 2024 | Case opened, first version of this casefile |
10 Jun 2024 | DIVD starts scanning the internet for vulnerable instances. |
11 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance in their network |
24 Jun 2024 | DIVD rescans the internet for vulnerable instances |
26 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance for the second time |
13 Jul 2024 | DIVD rescans the internet for vulnerable instances |
13 Jul 2024 | DIVD starts notifying network owners with a vulnerable instance for the third time |
13 Jul 2024 | Case closed |
More information
- CVE-2024-23692
- National Vulnerability Database for CVE-2024-23692
- Indepth information on CVE-2024-23692
- Technical Analysis CVE-2024-23692