{"id":1280,"date":"2024-12-17T20:28:57","date_gmt":"2024-12-17T20:28:57","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1280"},"modified":"2024-12-17T20:28:57","modified_gmt":"2024-12-17T20:28:57","slug":"attackers-exploit-zero-day-rce-flaw-in-cleo-managed-file-transfer","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1280","title":{"rendered":"Attackers exploit zero-day RCE flaw in Cleo managed file transfer"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers have warned about in-the-wild attacks that exploit a remote code execution vulnerability in managed file transfer (MFT) solutions developed by enterprise software vendor Cleo Communications.The impacted products include the latest versions of Cleo LexiCom, Cleo VLTrader and Cleo Harmony, with experts advising to temporarily disconnect these systems from the internet until a patch is available.<\/p>\n

The first company to report the attacks was managed EDR firm Huntress who detected the exploits in some of its customers\u2019 systems. The affected systems used an older version of Cleo software that is vulnerable to a flaw patched in October, but the Huntress researchers determined that the patch is insufficient and even up to date product versions are vulnerable.<\/p>\n

\u201cFrom our telemetry, we\u2019ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC,\u201d the Huntress team said in its report<\/a>. \u201cAfter some initial analysis, however, we have found evidence of exploitation as early as December 3.\u201d<\/p>\n

Researchers from vulnerability management firm Rapid7 confirmed Huntress\u2019 findings<\/a> and are also investigating signs of successful exploitation in some of its customers\u2019 environments. Attackers are leveraging the flaw to write malicious files in specific locations on the server which then get automatically executed by the software.<\/p>\n

An inefficient patch or a new flaw<\/h2>\n

On 24 October, Cleo published a security advisory<\/a> about an unrestricted file upload and download vulnerability tracked as CVE-2024-50623 that could be used to achieve remote code execution. The vendor advised users to upgrade Harmony, VLTrader and LexiCom to version 5.8.0.21 to mitigate the flaw.<\/p>\n

However, according to Huntress, the patch does not address all attack paths and can still be exploited on version 5.8.0.21. The researchers created a proof-of-concept exploit that they\u2019ve shared with Cleo which confirmed the issue and is working on a new patch and updated versions. According to an updated advisory<\/a>, the new vulnerability is now tracked as CVE-2024-55956 and was fixed for all impacted products in version 5.8.0.24, released on Dec. 11.<\/p>\n

\u201cPromptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability,\u201d a Cleo spokesperson told CSO via email. \u201cCleo\u2019s investigation is ongoing. Customers are encouraged to check Cleo\u2019s security bulletin webpage regularly for updates.\u201d<\/p>\n

Upon further investigation, researchers from Rapid7 believe CVE-2024-55956 is a separate vulnerability and not a bypass of the patch for CVE-2024-50623, as originally believed and reported by Huntress. The new flaw is an unauthenticated file write vulnerability, while the older one is an authenticated file read and write flaw that requires credentials to exploit.<\/p>\n

\u201cThe two vulnerabilities are not chained together to achieve RCE; CVE-2024-55956 can be exploited by itself to achieve unauthenticated RCE,\u201d Stephen Fewer, principal security researcher at Rapid7, told CSO via email. \u201cCVE-2024-55956 does occur in a similar part of the product code base as the CVE-2024-50623 and is reachable via the same endpoint in the target. However, the exploitation strategy differs greatly between the two vulnerabilities.\u201d<\/p>\n

Abusing the autorun feature<\/h2>\n

Huntress believes one of the exploits is the file upload vulnerability to drop a file called healthchecktemplate.txt in a subdirectory called autorun from the application\u2019s folder. Files present in the folder are automatically processed by the Cleo applications.<\/p>\n

Upon inspection, this rogue file invokes the native Import function of the Cleo software to process another file dropped in the temp folder on disk and called LexiCom6836057879780436035.tmp (name might vary between exploits).<\/p>\n

Despite its .tmp extension, this file is actually a ZIP archive that contains a subdirectory called hosts with a file called mail.xml. The .xml file acts as a configuration file for what appears to be a feature to create a new mailbox connection in the Cleo software. When imported, this file will execute commands stored in its <Commands> declaration, in this case a malicious PowerShell command.<\/p>\n

\u201cThis process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation,\u201d the researchers said. \u201cThese JAR files contain webshell-like functionality for persistence on the endpoint. We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.\u201d <\/p>\n

The researchers noted that some files had already been deleted by the attackers before they could be recovered for analysis, but a log file called LexiCom.dbg will contain traces about the autorun files that have been executed. The attackers were also seen performing Active Directory reconnaissance by using nltest.exe, a command-line tool present on Windows Servers and used to enumerate domain controllers.<\/p>\n

Researchers from security firm Arctic Wolf Networks managed to recover the Java payloads, which consist of a Java loader and a Java backdoor the researchers dubbed Cleopatra<\/a>. The backdoor has support for both Windows and Linux and seems designed to specifically access data stored within the Cleo MFT products.<\/p>\n

The backdoor plugs into Cleo functionality and implements nine classes, each serving a different purpose. One class executes shell commands and allows attackers to open a reverse shell. Three other classes implement in-memory storage and on-disk file operations such as reading, writing, and archiving.<\/p>\n

The attackers used the backdoor to execute various shell commands to understand the system and network and to find other machines to potentially pivot to.<\/p>\n

Mitigate by isolating servers<\/h2>\n

One possible mitigation until a patch is available is to disable the Autorun directory feature in the Cleo software configuration. According to Huntress, this can be done by going to the \u201cConfigure\u201d menu of the software, selecting \u201cOptions\u201d and navigating to the \u201cOther\u201d pane where the contents of the \u201cAutorun Directory\u201d field should be removed.<\/p>\n

However, this will not prevent the exploitation of the arbitrary file upload vulnerability, so the best approach, according to Rapid7, is to isolate servers with the affected software from the internet or put a firewall in front of them.<\/p>\n

Security teams should also investigate their Cleo servers for traces of this exploit by inspecting the log file or looking for the presence of a main.xml or a 60282967-dc91-40ef-a34c-38e992509c2c.xml file with embedded PowerShell commands.<\/p>\n

This latest attack against Cleo products highlights that enterprise managed file transfer (MFT) solutions continue to be an attractive target for attackers. Ransomware groups<\/a> have previously exploited vulnerabilities in the Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, Fortra\/Linoma GoAnywhere MFT servers in early 2023 and MOVEit Transfer deployments in May 2023.<\/p>\n

Originally published on Dec. 10, this article has been updated with newly released research and comment from Cleo and Rapid7.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers have warned about in-the-wild attacks that exploit a remote code execution vulnerability in managed file transfer (MFT) solutions developed by enterprise software vendor Cleo Communications.The impacted products include the latest versions of Cleo LexiCom, Cleo VLTrader and Cleo Harmony, with experts advising to temporarily disconnect these systems from the internet until a patch […]<\/p>\n","protected":false},"author":0,"featured_media":1163,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1280","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1280"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1280"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1280\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1163"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}