More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability (CVE-2024-2389) in Flowmon, Progress Softwareâs network monitoring/analysis and security solution, have been published.
The critical vulnerability has been disclosed and patched by Progress earlier this month. âCurrently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,â the company says in an advisory that was last updated on Friday.
According to Progress Software, more than 1,500 organizations from all over the world use Flowmon for network monitoring and anomaly detection. Sega, TDK, and Kia are on the list.
About CVE-2024-2389
CVE-2024-2389 is command injection vulnerability affecting Flowmon versions 11.x and 12.x, but not versions 10.x and lower.
âUnauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,â the company explained.
The vulnerability was discovered and reported to Progress by David Yesland, a penetration tester at Rhino Security Labs, who detailed the discovery in a blog post published on Tuesday.
He noted that once the vulnerability is exploited and command execution is achieved, âthe application runs as the âflowmonâ user so command will be executed as this user. The flowmon user can run several commands with sudo and several of the commands can be abused to obtain a root shell.â
Rhino Security Labs published a PoC exploit and has created a module that will soon be merged into Metasploit.
Firemon customers are advised to upgrade to one of the patched versions â v12.3.5 or 11.1.14 â as soon as possible, and to then upgrade all Flowmon modules.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot