Skip to content

New SIGMA-rule CVE-2024-23692  


Published:

Our security analyst in the SamurAI Security Operation Center (SOC) shared Sigma rule to detect a successful exploitation of new vulnerability in Rejetto HTTP File Server (HFS) with a CVSS score of 9.8/10. Find out more about the discovery in this blog post. 

A critical vulnerability has been identified in Rejetto HTTP File Server (HFS), tracked as CVE-2024-23692, with a CVSS score of 9.8/10. This vulnerability was discovered by researcher Arseniy Sharoglazov. It allows a remote unauthenticated attacker to execute code with the same privileges as the user account running the HFS process. Sharoglazov explained in his blog post that he successfully exploited this flaw in HFS version 2.3m, the latest stable release. 

Just one week after the CVE-2024-23692 vulnerability was identified, another researcher, Stephen Fewer, published a Metasploit module. The Metasploit Framework is a comprehensive open-source tool used for developing, testing, and executing exploits against remote targets. A Metasploit module is a specific piece of code within this framework designed to exploit a particular vulnerability, in this case, CVE-2024-23692. The release of this Metasploit module poses a significant threat, as it enables anyone with access to the Metasploit Framework to exploit the vulnerability. 

Our research based on OSINT sources indicates that over 4,000 hosts worldwide are running vulnerable HFS versions. Furthermore, the exploit is readily available for anyone to use by simply downloading the Metasploit Framework. This widespread usage poses a significant threat. It is recommended to stop using HFS version 2.x, as it is no longer supported by the maintainer, and to upgrade to version 3.x for improved security. 

Our security analyst in the SamurAI SOC took proactive measures by deploying HFS version 2.4.0 RC6 in our malware testing and analysis environment, known as “mallab”, to assess the vulnerability and fortify our detection engineering capabilities. Through rigorous testing, we identified that successful exploitation triggers the spawning of cmd.exe under the HFS process, particularly when attackers leverage the Metasploit framework. 

Based on our extensive research, our security analyst in the SamurAI SOC developed a streamlined Sigma rule aimed at detecting successful exploitation. This Sigma rule is now available on our Github repository. By monitoring instances where “hfs.exe” spawns child processes located in “C:\Windows\SysWOW64”, the rule effectively detects both successful exploitations via Metasploit and crafted malicious HTTP requests 

Want to find out more about how we can protect your organization? 

NTT Security’s cyber security analysts work around the clock to actively hunt, validate, and respond to cyberthreats, ensuring real-time protection. Fill in the form and we’ll contact you.