Platform
python
Component
iris-evtx-module
Fixed in
1.0.1
CVE-2024-34060 describes an Arbitrary File Access vulnerability within the IRIS EVTX Pipeline Module, a component used for ingesting Microsoft EVTX log files. This flaw allows attackers to potentially write arbitrary files, which, when combined with Server-Side Template Injection (SSTI), could lead to remote code execution. The vulnerability impacts versions of the module prior to 1.0.0, and a patch has been released.
The core of this vulnerability lies in the unsafe handling of filenames during EVTX file uploads through the iris-evtx-module pipeline. An attacker can craft a malicious EVTX file with a specially crafted filename that, when processed by the module, allows them to write arbitrary files to the server's filesystem. This file write capability, when coupled with SSTI, provides a pathway to remote code execution. Successful exploitation could allow an attacker to gain control of the underlying server, potentially leading to data breaches, system compromise, and further lateral movement within the network. The impact is amplified if the IRIS web application is exposed to the internet or if the server hosts sensitive data.
This vulnerability was publicly disclosed on 2024-05-23. While no active exploitation campaigns have been publicly reported as of this writing, the combination of an Arbitrary File Access vulnerability and potential SSTI makes it a high-priority concern. The availability of the patch suggests that the vendor is aware of the risk and is actively addressing it. It is recommended to monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
2.44% (85% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-34060 is to immediately upgrade the IRIS EVTX Pipeline Module to version 1.0.0 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These may include strict input validation on filenames during EVTX uploads, restricting file upload locations, and implementing Web Application Firewall (WAF) rules to block suspicious filenames or upload patterns. Regularly review and update your IRIS web application configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to upload a test EVTX file with a potentially malicious filename and verifying that the file is not written to an unintended location.
Actualice el módulo iris-evtx-module a la versión 1.0.0 o superior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos. Puede actualizar el módulo utilizando el gestor de paquetes de Python, pip, ejecutando el comando: `pip install --upgrade iris-evtx-module`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-34060 is a HIGH severity vulnerability in the IRIS EVTX Pipeline Module allowing attackers to potentially write arbitrary files, leading to remote code execution via SSTI.
You are affected if you are using IRIS EVTX Pipeline Module versions prior to 1.0.0. Immediate action is required to mitigate the risk.
Upgrade the IRIS EVTX Pipeline Module to version 1.0.0 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's potential for remote code execution warrants immediate attention and mitigation.
Refer to the official IRIS advisory for detailed information and updates regarding CVE-2024-34060: [https://www.irisbg.com/security-advisory-cve-2024-34060](https://www.irisbg.com/security-advisory-cve-2024-34060)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.