[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2024-27348: RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Jul 18 08:33:37 PDT 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-27348: RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On April 1, 2024, Apache released HugeGraph 1.3.0 to fix a vulnerability (CVE-2024-27348) that allowed remote threat actors to execute arbitrary commands in the Graph Traversal Language. On June 1, 2024, a security researcher published a Proof-of-Concept (PoC) exploit for CVE-2024-27348. The vulnerability is currently assigned a CVSS score of 9.8.

The following products are affected:

  *   Versions prior to 1.3.0 (Java8 & Java11)

Fixed versions:

  *   Version 1.3.0 (Java11+enable Auth system)

The patch for the vulnerability can be found here: https://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d

Intelligence: As of July 17, 2024, some sources claim the vulnerability has been confirmed as being exploited in the wild but has not been confirmed yet by CISA. Proof-of-concept code has been publicly available since early June 2024, putting older versions at high risk

Workarounds: No workarounds are available for this vulnerability.

How it works: The vulnerability exploits a weakness in the Gremlin graph traversal language API allowing threat actors to bypass sandbox restrictions and compromise server integrity. Exploitation of CVE-2024-27368 is possible due to insufficient reflection filtering within HugeSecurityManager, which enables unauthorized access and manipulation of system processes.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute code remotely.

As of July 18, 2024, Tenable has released one plugin for the vulnerability. Currently it only is available to Tenable WAS scanning, but the Tenable platform has not been updated as of this morning.
Plugin ID
Plugin Name
Severity
Platform
114381<https://www.tenable.com/plugins/was/114381>
Apache Hugegraph 1.0.0 < 1.3.0 Remote Command Execution
Critical
Tenable Web Application Scanning Only

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[Enterprise Information Services logo]
Will Mauschbaugh
Security Operations Center Analyst
Enterprise Information Services
Cyber Security Services (CSS)
Cell: (971) 304-5956
"Ensuring accessible, reliable and secure state technology systems that equitably serve Oregonians."





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240718/fd1f162e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240718/fd1f162e/attachment-0001.png>

More information about the CDP-development mailing list