Directory Traversal Remote Code Execution Vulnerability in iXsystems TrueNAS CORE
CVE-2024-11944

8.8HIGH

Key Information:

Vendor

iXsystems

Status
Truenas Firmware
Vendor
CVE Published:
30 December 2024

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2024-11944?

CVE-2024-11944 is a directory traversal remote code execution vulnerability affecting iXsystems TrueNAS CORE, a widely-used open-source storage operating system designed for data management and storage purposes. This vulnerability enables unauthorized network-adjacent attackers to execute arbitrary code on vulnerable installations without requiring authentication. The exploitation of this flaw poses significant risks to organizations that rely on TrueNAS CORE for their data infrastructure, potentially allowing attackers to manipulate sensitive data or disrupt operations.

Technical Details

The core issue of CVE-2024-11944 lies in the tarfile.extractall method, where proper validation of user-supplied file paths is absent. This flaw can be exploited by attackers to leverage the system's file operations to navigate outside permitted directories and execute arbitrary code. The lack of stringent checks on user inputs leads to a scenario where an attacker could manipulate the file extraction process to gain escalated privileges, possibly executing code with root privileges.

Potential Impact of CVE-2024-11944

  1. Remote Code Execution: The most critical impact is the potential for remote code execution, allowing attackers to run malicious code on affected systems, which can lead to unauthorized access and full control over the storage system.

  2. Data Compromise: Exploitation of this vulnerability may result in data breaches, where sensitive information stored on the TrueNAS servers could be accessed, altered, or deleted by unauthorized personnel.

  3. Operational Disruption: The ability for attackers to execute arbitrary code opens up pathways for destructive actions, such as data corruption or service disruption, affecting the reliability and availability of critical storage resources for organizations.

News Articles

favicon imageGBHackers News

TrueNAS CORE Vulnerability Let Attackers Execute Remote Code

A critical vulnerability in TrueNAS CORE, a widely-used open-source storage operating system developed by iXsystems.

References

https://www.truenas.com/docs/core/13.0/gettingstarted/cor...
https://www.zerodayinitiative.com/advisories/ZDI-24-1643/

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

JSON
.