Full Report
Researchers spot in-the-wild exploits of Samsung MagicInfo despite recent patch
Analysis Summary
This summary focuses on the vulnerability affecting Samsung MagicInfo Server, based on the provided article snippet. Note that the article references potential confusion between a known, patched vulnerability (CVE-2024-7399) and a potentially new, actively exploited issue.
# Vulnerability: Unauthenticated Remote Code Execution in Samsung MagicInfo Server
## CVE Details
* **CVE ID:** Not explicitly detailed for the presumed new exploit; the article references **CVE-2024-7399** (a previously disclosed, patched flaw) as potentially related or confused with the current threat.
* **CVSS Score:** Not provided in the text. Assessment pending specific CVE assignment.
* **CWE:** Not explicitly mentioned, but the outcome suggests **CWE-94: Improper Control of Generation of Code ('Code Injection')** or similar file upload/RCE weaknesses.
## Affected Systems
* **Products:** Samsung MagicInfo Server
* **Versions:** MagicInfo 9 Server **21.1050.0** (stated as the latest version affected by the new issue).
* **Configurations:** Systems exposed to the internet are at high risk, as the vulnerability allows unauthenticated access.
## Vulnerability Description
The vulnerability, which researchers suspect relates to or is a variant of CVE-2024-7399, allows an **unauthenticated user to upload a web shell and achieve Remote Code Execution (RCE)**. The execution occurs under the context of the Apache Tomcat process running the server management software. The report suggests that when reported, Samsung may have registered the new finding as a duplicate of the older, patched vulnerability (CVE-2024-7399).
## Exploitation
* **Status:** Exploit attempts (active threat) are being observed in the wild. A Proof-of-Concept (PoC) exploit was published by SSD Disclosure for the related/new flaw.
* **Complexity:** Likely **Low**, given the ability for an unauthenticated user to upload a web shell.
* **Attack Vector:** **Network** (Remote exploitation).
## Impact
* **Confidentiality:** Likely **High** (Web shell allows data exfiltration).
* **Integrity:** Likely **High** (Remote Code Execution allows system modification).
* **Availability:** Likely **High** (RCE can lead to system takeover or denial of service).
## Remediation
### Patches
* The article suggests administrators apply the latest available patches from Samsung that address the originally documented vulnerability (CVE-2024-7399), although it is unclear if this officially covers the newly exploited variant. *Action required: Check vendor advisories for the specific patch addressing the RCE vector in the 21.1050.0 version or later.*
### Workarounds
* **Air Gap Systems:** Administrators are **urged to air gap their Samsung MagicInfo 9 Server systems from the internet** due to active exploitation.
## Detection
* **Indicators of Compromise:** Presence of unexpected web shells or remote access tools installed within the application directories running under the Apache Tomcat user context.
* **Detection Methods and Tools:** Monitor network traffic to and from the MagicInfo Server for unusual file uploads or unexpected outbound connections indicative of command and control activity. Web application firewalls (WAFs) should be configured to block suspicious file upload payloads.
## References
* Vendor Advisories: (Not explicitly linked, requires specific Samsung product security bulletin search)
* Relevant links:
* ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated (Defanged: ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated)
* infosecurity-newspaper-com/news/threat-actors-exploit-samsung/ (Defanged: infosecurity-newspaper-com/news/threat-actors-exploit-samsung/)