Full Report
Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
Analysis Summary
# Vulnerability: Samsung MagicINFO 9 Server Unauthenticated Remote Code Execution (RCE)
## CVE Details
- CVE ID: CVE-2024-7399
- CVSS Score: Not explicitly given, but described as RCE allowing arbitrary file upload as system authority.
- CWE: Improper limitation of a pathname to a restricted directory vulnerability (Path Traversal leading to file write).
## Affected Systems
- Products: Samsung MagicINFO 9 Server
- Versions: Prior to version 21.1050.
- Configurations: Requires access to the server's file upload functionality intended for content updates.
## Vulnerability Description
The vulnerability is an Improper Limitation of a Pathname issue (Path Traversal) within the file upload functionality of the Samsung MagicINFO 9 Server. This flaw allows unauthenticated attackers to write arbitrary files with system authority onto the server. Specifically, an attacker can upload a malicious `.jsp` file via an unauthenticated POST request, leveraging path traversal to place it in a web-accessible directory. Once uploaded, the attacker can execute arbitrary OS commands by accessing the uploaded file via a `cmd` parameter, viewing the output in the browser.
## Exploitation
- Status: **Actively exploited in the wild**
- Complexity: Low (Achievable via unauthenticated network request)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary command execution could lead to data exfiltration)
- Integrity: High (Arbitrary code execution and arbitrary file writing)
- Availability: High (Can lead to system compromise or denial of service)
## Remediation
### Patches
- Upgrade Samsung MagicINFO Server to version **21.1050 or later**.
### Workarounds
- No specific workarounds were detailed, but immediate patching is strongly recommended due to active exploitation. Limiting network access to the file update functionality may serve as a temporary measure if patching is delayed.
## Detection
- **Indicators of Compromise (IoCs):** Detection of unauthenticated POST requests targeting file upload endpoints, especially those attempting to upload `.jsp` files. Subsequent access requests to these uploaded files containing command execution parameters (e.g., `?cmd=...`). Reports indicate Mirai botnet variants are leveraging this flaw.
- **Detection Methods and Tools:** Web application firewalls (WAFs) or network monitoring systems should look for suspicious file uploads to the server and unexpected remote command execution attempts against the server's web interface.
## References
- Vendor Advisory: http://security.samsungtv.com/securityUpdates (Fix disclosed August 2024)
- Exploit Details: https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/
- Active Exploitation Report: https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-rce-flaw-now-exploited-in-attacks/