RCE Vulnerability (CVE-2024-39943) Found in HTTP File Server

Bar Refael

July 8, 2024

A critical vulnerability has been identified in HFS (HTTP File Server), a popular file-sharing software used to send and receive files over HTTP. The vulnerability, tracked as CVE-2024-39943, poses a significant threat to systems running versions of HFS before 0.52.10 on Linux, UNIX, and macOS. With a CVSS score of 9.9, this flaw allows remote authenticated users with upload permissions to execute operating system commands.

Vulnerability Details

  • CVE-2024-39943
    • Type: Remote Code Execution (RCE)
    • Description: Flaw in the way HFS handles the execution of the df command using execSync instead of spawnSync in the Node.js child_process.
    • Impact: Allows remote authenticated users with upload permissions to execute arbitrary commands on the host system.

Technical Analysis

  • Root Cause: The vulnerability is due to HFS using execSync for executing the df command, which allows for remote command execution.
  • Exploitation: An attacker with upload permissions can exploit this flaw to execute arbitrary operating system commands, potentially gaining full control over the affected system.

Affected Versions

  • Impacted Versions: HFS versions before 0.52.10 on Linux, UNIX, and macOS.
  • Secure Version: HFS version 0.52.10 and later.

Mitigation and Recommendations

  1. Immediate Update:
    • Action Required: Update HFS to version 0.52.10 or later to mitigate the risk of exploitation.
    • Download Link: HFS 0.52.10
  2. Interim Measures:
    • Restrict Upload Permissions: Limit upload permissions to trusted users only.
    • Monitor Network Traffic: Look for unusual activity that may indicate exploitation attempts.
    • Additional Security Controls: Implement firewalls and intrusion detection systems to protect against unauthorized access.

Recent Exploit Activity

  • Active Exploitation: Threat actors have been actively exploiting a similar critical vulnerability (CVE-2024-23692) in older versions of Rejetto’s HTTP File Server (HFS), particularly version 2.3m, to deliver malware and cryptocurrency mining software.
  • Targeted Systems: These attacks have targeted individuals, small teams, and educational institutions, leveraging the flaw to execute unauthorized commands without authentication.

The discovery of CVE-2024-39943 in HFS highlights the critical need for timely software updates and robust security practices. Given the high CVSS score of 9.9, users are strongly urged to update to the latest version of HFS immediately. In the interim, restricting upload permissions and enhancing network monitoring can help mitigate the risk. The ongoing exploitation of similar vulnerabilities further emphasizes the importance of proactive security measures to protect against emerging threats.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox