CVE-2024-39943 (CVSS 9.9): Critical Vulnerability in HTTP File Server Exposes Systems to RCE
A critical vulnerability has been identified in HFS (HTTP File Server), a popular file-sharing software used to send and receive files over HTTP. The vulnerability, tracked as CVE-2024-39943, poses a significant threat to systems running versions of HFS before 0.52.10 on Linux, UNIX, and macOS. With a CVSS score of 9.9, this flaw allows remote authenticated users with upload permissions to execute operating system commands.
The core of the issue lies in the way HFS handles the execution of the df command. By using execSync instead of spawnSync in the Node.js child_process, HFS inadvertently opens the door for remote command execution. This means that an attacker with the appropriate permissions can exploit this flaw to execute arbitrary commands on the host system.
Security researcher Charmin Doge has been credited with identifying and reporting this critical flaw.
To mitigate the risk posed by CVE-2024-39943, users of HFS are strongly advised to update their software to version 0.52.10 or later. For those who cannot immediately update, the following interim measures are recommended:
- Restrict upload permissions to trusted users only.
- Monitor network traffic for unusual activity that may indicate exploitation attempts.
- Implement additional security controls such as firewalls and intrusion detection systems to protect against unauthorized access.
Recently, threat actors have actively exploited a critical vulnerability (CVE-2024-23692) in older versions of Rejetto’s HTTP File Server (HFS), particularly version 2.3m, to deliver malware and cryptocurrency mining software. AhnLab Security Intelligence Center (ASEC) has detected these ongoing attacks, which leverage the flaw to execute unauthorized commands without authentication. This widespread HFS version remains popular among individuals, small teams, and educational institutions for file-sharing purposes, making them prime targets for exploitation.
