This Cyber Threat Intelligence report, based on extensive research conducted at OP Innovate, highlights two vulnerabilities within the Iris DFIR platform: CVE-2024-25624 (Server-Side Template Injection, SSTI) with a high-risk rating (CVSS: 6.8) and CVE-2024-34060 (Arbitrary File Write) with a high-risk rating (CVSS: 8.8). These vulnerabilities, discovered by Dan Shallom, the Director of Research at OP Innovate, pose significant security risks by allowing attackers to execute remote code and potentially gain full control over the server. Exploiting these vulnerabilities can lead to unauthorized access, data breaches, and severe system compromise.
The report provides a comprehensive analysis of the discovery process, potential impacts, and the mitigation steps that have been implemented in the latest software patches. It underscores the necessity for prompt updates, adherence to secure coding practices, and continuous system monitoring to safeguard against these vulnerabilities. This CTI report aims to inform and equip cybersecurity professionals with the knowledge required to mitigate these threats effectively.
Iris DFIR Platform Overview:
- An open-source platform enhancing incident response efficiency with centralized dashboards, automated workflows, and real-time collaboration tools.
- Integrates with Endpoint Detection and Response (EDR) tools for automated data collection and advanced analytics.
- Provides tools for artifact analysis, timeline reconstruction, and case management.
Vulnerability Details
CVE-2024-25624: Server-Side Template Injection (SSTI)
Discovery: Identified in the report generation functionality through the upload of a malicious DOCX file containing a Jinja2 payload.
Exploitation:
- A DOCX file with a payload was uploaded via the “Report Templates Management” section.
- Payload: {{ self.__init__.__globals__.__builtins__.__import__(‘os’).popen(‘cat /etc/passwd’).read() }}
- Execution of the payload embedded unauthorized code in the resultant DOCX file.
Impact: The payload resulted in the content of internal files on the server. The full potential of the vulnerability allows full server control by setting up a reverse TCP shell, exploiting the SSTI vulnerability to execute OS commands with root privileges.
CVE-2024-34060: Arbitrary File Write
Discovery: Identified during ongoing research, this vulnerability allows an attacker with low-level privileges to upload a malicious template file to an arbitrary path on the server, replacing existing files.
Exploitation:
- A crafted HTML file containing a malicious template was uploaded, targeting the error-404.html file.
- Payload: {{request.application.__globals__.__builtins__.__import__(‘os’).popen(‘cat /etc/hosts’).read()}}
- The filename was modified using a relative path to overwrite the legitimate template file.
Impact: Upon server restart, the compromised server executed the injected template, allowing unauthorized code execution, presenting the content of /etc/hosts for any user accessing error-404.html.
Mitigation
For CVE-2024-25624:
- Implemented in v2.4.6 of Iris.
- Secured Jinja2 Environment:
- Blocks unsafe attributes and methods.
- Prevents execution of harmful operations.
For CVE-2024-34060:
- Implemented in v1.0 of Iris.
- Sanitizing Filenames:
- Utilizes secure_filename from Werkzeug to ensure safe file handling.
Recommendations
- Update Software: Ensure all instances of the Iris DFIR platform are updated to the latest patched versions to mitigate the identified vulnerabilities.
- Conduct Security Audits: Regularly perform security audits to identify and address potential vulnerabilities.
- Adopt Secure Coding Practices: Implement secure coding practices to prevent similar vulnerabilities in future developments.
- Monitor Systems: Continuously monitor systems for signs of exploitation, especially in areas related to template handling and file uploads.
- Training: Provide security training for developers and administrators to raise awareness of potential threats and secure coding techniques.
- Use Sandboxed Environments: Utilize sandboxed environments for executing potentially unsafe code to limit the impact of any exploitation.
The vulnerabilities CVE-2024-25624 and CVE-2024-34060 present significant security threats to the Iris DFIR platform, enabling remote code execution and full server control. While patches have been implemented to address these issues, it is critical for organizations to update their systems, adopt secure coding practices, and remain vigilant in monitoring for potential exploits. Secure development and proactive security measures are essential to mitigate risks associated with open-source software.
Read the full technical report here.
