Plattform
python
Komponente
iris-evtx-module
Behoben in
1.0.1
CVE-2024-34060 describes an Arbitrary File Access vulnerability within the IRIS EVTX Pipeline Module, a component used for ingesting Microsoft EVTX log files. This flaw allows attackers to potentially write arbitrary files, which, when combined with a Server-Side Template Injection (SSTI), could lead to remote code execution. The vulnerability impacts versions of the module prior to 1.0.0, and a patch has been released in version 1.0.0.
The core of this vulnerability lies in the unsafe handling of filenames during EVTX file uploads through the iris-evtx-module pipeline. An attacker can craft a malicious EVTX file with a specially designed filename that, when processed by the module, allows them to write arbitrary files to the server's filesystem. This is not a direct RCE on its own. However, the ability to write files opens the door to Server-Side Template Injection (SSTI). By injecting malicious code into a template engine used by the IRIS web application, an attacker could then execute arbitrary commands on the server, gaining complete control. The blast radius extends to any data accessible by the IRIS web application, including sensitive log data and potentially other system resources.
CVE-2024-34060 was publicly disclosed on May 23, 2024. While no public proof-of-concept (PoC) code has been released at the time of this writing, the combination of Arbitrary File Access and potential SSTI makes it a high-priority vulnerability. Its inclusion in the IRIS EVTX Pipeline Module, a component often used for log ingestion, increases the potential attack surface. The vulnerability's severity is rated HIGH (CVSS: 8.8), indicating a significant risk. It is not currently listed on the CISA KEV catalog.
Organizations utilizing the IRIS EVTX Pipeline Module for log ingestion, particularly those with internet-facing deployments or those using the module to process logs from untrusted sources, are at significant risk. Legacy configurations of IRIS web applications and environments where input validation is weak are especially vulnerable.
• linux / server:
find /opt/iris/ -name "iris-evtx-module*" -mtime +7 # Check for older versions
journalctl -u iris-web -g "EVTX upload" | grep -i "error" # Look for upload errors• generic web:
curl -I <IRIS_WEB_ENDPOINT>/evtx_upload.php | grep -i "server" # Check server header for potential information leakagedisclosure
Exploit-Status
EPSS
2.44% (85% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-34060 is to immediately upgrade the IRIS EVTX Pipeline Module to version 1.0.0 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. Restrict file upload permissions to the IRIS EVTX Pipeline Module user account to the minimum necessary. Implement strict filename validation on the server-side to prevent the upload of files with potentially malicious characters or paths. Web Application Firewalls (WAFs) configured to detect and block attempts to upload files with unusual or unexpected filenames can also provide a layer of defense. Monitor system logs for unusual file creation or modification activity.
Actualice el módulo iris-evtx-module a la versión 1.0.0 o superior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos. Puede actualizar el módulo utilizando el gestor de paquetes de Python, pip, ejecutando el comando: `pip install --upgrade iris-evtx-module`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-34060 is a HIGH severity vulnerability in the IRIS EVTX Pipeline Module allowing attackers to potentially write arbitrary files, leading to remote code execution via SSTI.
You are affected if you are using IRIS EVTX Pipeline Module versions prior to 1.0.0. Immediate action is required to mitigate the risk.
Upgrade the IRIS EVTX Pipeline Module to version 1.0.0 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's potential for remote code execution warrants immediate attention and mitigation.
Refer to the official IRIS advisory for detailed information and updates regarding CVE-2024-34060: [https://www.irisbg.com/security-advisory-cve-2024-34060](https://www.irisbg.com/security-advisory-cve-2024-34060)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.