Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL PRE-AUTHENTICATION HEAP OVERFLOW VULNERABILITY IN XLIGHT FTP SERVERS, PATCH IMMEDIATELY!
Image
Published : 29/10/2024
Reference:
Advisory #2024-252
Version:
1.0
Affected software:
Xlight 32 and 64-bit versions = 3.9.4.2
Type:
Pre-Authentication heap overflow vulnerability
CVE/CVSS:
CVE-2024-46483:CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Github - https://github.com/kn32/cve-2024-46483
Risks
CVE-2024-46483 is a critical vulnerability affecting Xlight SFTP servers, a popular Windows-based FTP and SFTP solution designed for secure, high-performance file transfer.
The vulnerability allows an unauthenticated attacker with access to Xlight SFTP to achieve code execution or cause a denial of service. This vulnerability significantly impacts all vertices of the CIA triad. A PoC is already available on GitHub. Please update your systems immediately.
Description
The vulnerability arises from a heap overflow in Xlight’s SFTP protocol implementation. When handling client-sent strings, Xlight fails to validate string length adequately, causing an integer overflow. This enables attackers to send crafted packets that trigger an excessive memory copy operation, overwriting data beyond the allocated buffer.
The impact varies by the Xlight version:
- 32-bit Versions: Attackers can overwrite critical heap data structures, potentially achieving code execution.
- 64-bit Versions: Code execution is less likely on 64-bit systems, but the vulnerability can still cause crashes, leading to a denial of service.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SecurityOnline - https://securityonline.info/cve-2024-46483-cvss-9-8-xlight-ftp-server-flaw-leaves-users-exposed-to-remote-attacks-poc-published/