- December 11, 2024
- Beazley Security Labs
Critical Vulnerability in Cleo Software (CVE-2024-55956)
On December 10th, software vendor Cleo published an advisory detailing a critical vulnerability in their Harmony, VLTrader, and LexiCom products.
Executive Summary
On December 10th, software vendor Cleo published an advisory detailing a critical vulnerability (now assigned CVE-2024-55956) in their Harmony, VLTrader, and LexiCom products which allows an unauthenticated attacker to upload malicious files and abuse a system autorun feature to achieve remote code execution (RCE). These products are B2B data transfer systems, which organizations must deploy as internet facing by design. As a result, successful exploit of this vulnerability gives threat actors initial access into affected organizations’ networks to facilitate further compromise. Several sources are reporting that this vulnerability is currently under active exploitation by threat actor groups.[TH1]
Cleo had released software patches at the initial reporting of the vulnerability assigned as CVE-2024-50623, however analysis from security firm Huntress revealed the patches were ineffective, and fully updated systems were still being actively exploited. Cleo have since made a new patch available and have provided mitigation steps including disabling the AutoRun feature within the software which is actively being exploited. Please find more details in the “Mitigations and Workarounds” section of this article.
Beazley Security strongly recommends organizations immediately apply patches for affected Cleo products as there is active and ongoing exploitation of this issue.
Affected Systems or Products
This vulnerability affects Cleo products Harmony, VLTrader, and LexiCom. Official patches have been released and are detailed below.
Software | Affected Versions | Unaffected Versions |
|---|---|---|
Cleo Harmony | prior to version 5.8.0.24 | 5.8.0.24 |
Cleo VLTrader | prior to version 5.8.0.24 | 5.8.0.24 |
Cleo LexiCom | prior to version 5.8.0.24 | 5.8.0.24 |
Mitigations / Workarounds
Cleo has advised customers to immediately upgrade impacted versions of Harmony, VLTrader, and LexiCom to version 5.8.0.24.
Beazley Security Labs recommends affected organizations install the patch immediately as this vulnerability is actively being exploited by threat actors. Affected organizations should, at the very least, disable the AutoRun feature on their Harmony, VLTrader, and LexiCom systems until the patch can be installed.
Huntress has detailed a workaround to disable the autorun feature to prevent arbitrary execution in Cleo software, however this does not fix the initial file-write vulnerability. The patch is the only way to fully mitigate the attack. Steps to disable the arbitrary execution include:
- 1.
Go to the “configure” menu of LexiCom, Harmony, or VLTrader
- 2.
Select “Options”
- 3.
Navigate to the “Other” pane
- 4.
Delete the contents of “Autorun Directory” field
In summary, organizations should verify the integrity of these products and apply security patches directly from Cleo. See the “Indicators of Compromise” section for guidance on artifacts to look for when reviewing systems for possible compromise.
Patches
Cleo has provided this link with instructions on how to apply available patches. The patch updates Harmony, VLTrader, and Lexicom to version 5.8.0.24 which reportedly fix the vulnerability.
Patch notes indicate the fix “addresses a critical vulnerability which exploits the ability for unrestricted file upload, download, and execution” of malicious content in the product. After applying the patch, errors are logged for files found at startup related to the exploit. The patch also states it will remove any related files if discovered.
Indicators of Compromise
Huntress have provided observed IoCs on their blog including the following callback IP addresses:
176.123.5.126
5.149.249.226
185.181.230.103
209.127.12.38
181.214.147.164
192.119.99.42
Additionally, the primary use of the arbitrary file upload bug was to upload malicious scripts into the autoruns directory. Affected organizations should review activity logs for that directory for suspicious activity.
Technical Details
The vulnerability chain that appears to be the root of the problem (CVE-2024-50623 and CVE-2024-55956) include arbitrary file upload and download vulnerabilities that also run bash or powershell commands on host systems leveraging default autorun settings. According to analysis done by Huntress, threat actors were abusing this chain to gain initial access in a victim’s network.
If successful, the autorun system would automatically execute malicious scripts, then delete those scripts upon execution. This autorun system was the primary feature abused by the threat actor in follow-up actions and was seen being used to upload further scripts and install and execute malicious Java programs to perform reconnaissance on internal networks.
Figure 1: Kill Chain
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
Appendix
Article updated December 16th, 2024 to include newly assigned CVE-2024-55956 for this vulnerability and patch information