Caught in the Cleo Crossfire: Navigating the CVE-2024-50623 Vulnerability
Dec 13,2024
The recent disclosure of CVE-2024-50623—a critical vulnerability in Cleo’s Harmony, VLTrader, and LexiCom products—raises significant concerns across industries that rely on these solutions for secure data integration. Even fully patched systems running versions 5.8.0.21 have been exploited, with over 10 different organizations compromised. Cleo has released a new patch (5.8.0.24) to address the issue.
To provide a comprehensive understanding of the issue and its broader implications, let’s delve into the details.
Prevalence and Use Cases for Cleo Solutions
Cleo’s integration solutions are widely adopted across various industries such as manufacturing, logistics, distribution, food, and retail. With over 4,100 customers, Cleo products enable critical operations like supply chain automation, real-time data exchange, inventory management, and e-commerce transactions. This widespread use amplifies the risks posed by vulnerabilities in these products.
Nature and Impact of the Vulnerability
CVE-2024-50623 is an unrestricted file upload and download vulnerability that can lead to remote code execution, allowing attackers to upload malicious files or download sensitive data without authorization. Alarmingly, even patched versions (up to 5.8.0.24) have shown vulnerabilities, underscoring the importance of layered defenses and proactive mitigations. Published on October 27, 2024, this CVE is still awaiting analysis in the National Vulnerability Database (NVD). A CVSS score has not yet been assigned, making it more challenging for organizations to quantify the risk, though the active exploitation of even fully patched systems indicates a high level of urgency.
Cleo offers cloud-based, on-premises, and hybrid deployment options for its products. The vulnerability affects all deployment models of Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21. However, even patches until 5.8.0.24 are considered to be incomplete and exploitable. Organizations using these products, regardless of deployment type, are at risk and should take immediate action to mitigate potential threats.
Researchers have already published a proof of concept for the exploit. Additionally, vendors like Huntress have released demo videos showcasing the exploit. Organizations like Huntress and Rapid7 have identified several organizations with post-exploitation activities. Targeted companies include those in retail & consumer products, food industry, and trucking. Therefore, it’s critical that users act on this vulnerability as soon as possible.
Indicators of Compromise (IoCs)
Huntress has identified specific IP addresses being used in active exploitation of this vulnerability, providing a critical resource for organizations to detect potential compromise. Cross-referencing network traffic logs with these IoCs is essential for identifying suspicious activity. Organizations should also monitor for anomalies such as unexpected file uploads or downloads, unauthorized access attempts, and deviations in system logs that could indicate exploitation. Additionally, Food and Agriculture ISAC is sharing intelligence with its member organizations to aid in defense against this vulnerability. Leveraging these collaborative resources can significantly enhance detection capabilities and mitigate the risks associated with CVE-2024-50623.
Recommended Actions
The original issue affected all versions of the software prior to 5.8.0.21, and the initial patch still left the product vulnerable to exploitation. The recommended actions can be broken down into remediations and mitigations. Apply remediations where feasible to eliminate impact. When remediations require more time and testing, implement mitigation strategies to minimize risk.
- Immediate Upgrade: Upgrade to version 5.8.0.24 or later, but remain vigilant in case vulnerabilities persist. Test upgrades in a controlled environment and apply mitigation strategies to secure systems during implementation.
- Prioritize: Conduct an end-to-end attack-chain analysis to identify the internet-facing at risk of exploitation and that provide a pathway to deeper infiltration and data loss.
- Enhanced Monitoring: Implement robust monitoring to detect suspicious activities related to file operations. Set up network monitoring rules to detect the aforementioned callbacks to malicious IPs identified by Huntress in their blog.
- Access Controls: Review and strengthen access controls to limit unauthorized interactions with the system. Review firewalls and access policies to limit system accessibility to only trusted sources.
- Incident Response Preparedness: Ensure that incident response teams are ready to act swiftly in case of a detected breach.
- Join an ISAC: Ensure you are participating in the relevant ISAC for your organization and learn the best practices that may be relevant to your industry. Here are links to Food & Agriculture ISAC, Manufacturing ISAC, Retail & Hospitality ISAC, and Surface Transportation ISAC.
Conclusion
CVE-2024-50623 remains a critical and ongoing threat to organizations using Cleo’s integration solutions. Applying patches, implementing mitigations, and leveraging industry collaboration through ISACs are vital steps to staying ahead of this evolving threat. Special thanks to Huntress for providing critical insights and actionable guidance to defend against this vulnerability. For further details, refer to Huntress’s comprehensive blog post and Cleo’s official Product Security Advisory.
Note: This analysis is based on currently available information. Organizations should stay informed through official channels for updates regarding this vulnerability.