Full Report
A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720. As of November 26, 2024,
Analysis Summary
# Vulnerability: Critical Improper Authorization Leading to RCE in ProjectSend
## CVE Details
- CVE ID: CVE-2024-11680
- CVSS Score: 9.8 (Critical)
- CWE: Improper Access Control (Inferred from description "improper authorization check")
## Affected Systems
- Products: ProjectSend (Open-source file-sharing application)
- Versions: Prior to v1720 (specifically mentions issues in r1605)
- Configurations: Any public-facing ProjectSend server.
## Vulnerability Description
The vulnerability is an improper authorization check which allows an unauthenticated attacker to perform sensitive administrative actions. These actions include enabling user registration, auto-validation, and modifying the whitelist of allowed file extensions. By controlling the allowed file extensions, an attacker can upload and execute arbitrary PHP code on the server hosting the application, leading to Remote Code Execution (RCE).
## Exploitation
- Status: Under Active Exploitation in the Wild (Observed since September 2024)
- Complexity: Not explicitly stated, but the availability of public PoCs suggests potential low to medium complexity to achieve RCE in some scenarios.
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for full system compromise leading to data exfiltration)
- Integrity: High (Arbitrary code execution allows for modification/destruction of data and system state)
- Availability: High (System can be taken down or leveraged for further attacks)
## Remediation
### Patches
- Update to **ProjectSend version r1720** or later. (The fix was committed in May 2023, but the official release was August 2024).
### Workarounds
- Restrict network access to public-facing ProjectSend instances where immediate patching is not possible (e.g., using firewalls or WAFs to block unusual traffic patterns associated with exploitation).
- If possible, temporarily disable public-facing features that are abused by the exploit (like user registration/file modification features), although this greatly limits functionality.
## Detection
- **Indicators of Compromise (IOCs):** Evidence of attackers enabling user registration, modifying file extension whitelists, or attempts to upload PHP shell files targeting the improper authorization mechanism. Evidence of web shells being dropped or executed.
- **Detection Methods and Tools:** Utilize network monitoring tools to flag suspicious administrative API calls or configuration changes made to the ProjectSend application. Security scanning tools capable of template-based checks (e.g., Nuclei, Metasploit modules) can be used to check for the vulnerability signature.
## References
- Vendor Advisory/Patch Commit: hXXps://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
- Vendor Release: hXXps://github.com/projectsend/projectsend/releases/tag/r1720
- Exploit Template (Nuclei): hXXps://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
- Exploit Template (Metasploit): hXXps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
- Research Advisory: hXXps://vulncheck.com/blog/projectsend-exploited-itw