Last updated at Fri, 17 Jan 2025 21:56:09 GMT
Clarity in Cleo Exploitation
Last Month, Huntress reported that several Cleo products were being attacked in the wild, including Harmony, VLTrader, and LexiCom. Cleo announced CVE-2024-50623 and that these issues were patched in 5.8.0.21, but Huntress reported the vulnerability was still in those patched versions. Cleo later announced a new vulnerability, CVE-2024-55956, and released patches for it as well.
Rapid7 has released a top-level CVE-2024-55956 analysis covering the issues and an in-deth CVE-2024-55956 technical analysis that found the new vulnerability was patched in version 5.8.0.24 of the three affected products. The Metasploit Framework release this week contains a module for the CVE-2024-55956 vulnerability. If you run Cleo Harmony, VLTrader, and LexiCom, please make sure you are updated to version 5.8.0.24 as soon as possible; patches are available from the vendor.
New module content (3)
Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
Authors: Askar mhaskar and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19738 contributed by h00die-gr3y
Path: linux/http/pandora_fms_auth_rce_cve_2024_11320
AttackerKB reference: CVE-2024-11320
Description: This adds an exploit module for Pandora FMS having a command injection vulnerability (CVE-2024-11320) in the LDAP authentication mechanism.
Ubuntu needrestart Privilege Escalation
Authors: h00die, makuga01, and qualys
Type: Exploit
Pull request: #19676 contributed by h00die
Path: linux/local/ubuntu_needrestart_lpe
AttackerKB reference: CVE-2024-48990
Description: This adds a post module which exploits needrestart on Ubuntu, before version 3.8. It allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19793 contributed by sfewer-r7
Path: multi/http/cleo_rce_cve_2024_55956
AttackerKB reference: CVE-2024-55956
Description: Add an exploit module for CVE-2024-55956, an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.
Enhancements and features (2)
- #19734 from h00die - Adds Arch Linux compatibility to the runc_cwd_priv_esc local privilege escalation module.
- #19752 from h00die - This enhancement adds checks for presence of
pproffor Prometheus. It can detect potential denial-of-service or information leakage associated with thepprofpackage.
Bugs fixed (1)
- #19800 from zeroSteiner - Fixes an exception when a custom DNS resolver is used that was preventing SRV records from resolving correctly.
Documentation added (2)
- #19723 from cgranleese-r7 - Add documentation on how to test payload changes when opening pull requests.
- #19794 from jheysel-r7 - Adds documentation clarify what a
passive stancemodule is and how to declare a module passive.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
NEVER MISS AN EMERGING THREAT
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now