Critical Vulnerability CVE-2024-55956 in Cleo Harmony

CVE-2024-55956 is a critical vulnerability affecting Cleo's Harmony, VLTrader, and LexiCom software versions prior to 5.8.0.24. This vulnerability allows unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by exploiting the default settings of the Autorun directory. The implications of this vulnerability are severe, as it can lead to unauthorized access and control over affected systems.

Overview of CVE-2024-55956

Affected Products

The following products and their versions are vulnerable:

Cleo Harmony: Versions before 5.8.0.24
Cleo VLTrader: Versions before 5.8.0.24
Cleo LexiCom: Versions before 5.8.0.24

Nature of the Vulnerability

The vulnerability arises from the software's Autorun feature, which processes command files automatically without sufficient authentication checks. This means that if an attacker can place a malicious script in the Autorun directory, it will be executed without any user intervention or authentication, potentially leading to remote code execution (RCE) on the host system.

Exploitation Details

Attack Vector

Attackers can exploit this vulnerability by:

Uploading Malicious Files: Utilizing an arbitrary file upload vulnerability to place malicious scripts in the Autorun directory.
Execution of Commands: Once a malicious script is placed in this directory, it is automatically executed by the Cleo software when it starts, allowing attackers to run arbitrary commands on the system.

Proof of Concept

Huntress security researchers demonstrated that even systems running version 5.8.0.21, which was thought to be patched against earlier vulnerabilities, remain vulnerable to CVE-2024-55956 due to insufficient fixes

2

. They created a proof-of-concept (PoC) that successfully exploited both unpatched and supposedly patched versions of the software.

Mitigation Strategies

Immediate Recommendations

Organizations using Cleo products should take immediate action to mitigate risks associated with this vulnerability:

Upgrade Software: Upgrade to version 5.8.0.24 or later, which reportedly includes patches for this vulnerability.
Disable Autorun Feature: Temporarily disable the Autorun feature until the software can be upgraded:
- Navigate to the “Configure” menu of LexiCom, Harmony, or VLTrader.
- Select “Options”.
- Go to the “Other” pane and delete any contents in the “Autorun Directory” field.

Network Security Measures

In addition to software updates, organizations should:

Place affected systems behind firewalls to limit exposure.
Monitor network traffic for signs of exploitation attempts.

Conclusion

CVE-2024-55956 represents a significant security risk for organizations using Cleo's file transfer software, particularly those with internet-facing deployments. The ability for unauthenticated users to execute arbitrary commands poses a serious threat that can lead to data breaches and system compromises. Immediate action through software updates and configuration changes is essential for protecting sensitive information and maintaining system integrity.Organizations are encouraged to stay informed about updates from Cleo regarding this vulnerability and follow best practices for cybersecurity hygiene to mitigate potential risks effectively.

https://nvd.nist.gov/

Books

Podcasts

AI Software: Security Scanner

Trending

Cyber Gossip from π: In December, Data Leak / Data Breach from EU, USA, Singapore, Turkey

Dangerous Pursuit CVE-2022-2107

CVE-2024-56334: A Critical Vulnerability in Node.js systeminformation Library

THJCC CTF 2024 winter -Sat, 14 Dec. 2024

Security Vulnerability in Solana's @solana/web3.js - $160,000 and Crypto Keys Stolen

CVE-2024-10044: SSRF Vulnerability in lm-sys/fastchat API

CVE-2024-36671: A Critical Vulnerability in NodeMCU

Critical Vulnerability CVE-2024-55956 in Cleo Harmony