CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft

Written by Cybereason Consulting Team | Dec 17, 2024 6:18:17 PM

Key Takeaways

Zero-day vulnerability was discovered in 3 Cleo products, tracked as CVE-2024-55956
Cleo is the developer of various managed file transfer platforms with approximately 4,000 customers, mostly mid-sized organizations
CVE-2024-55956 could allow unauthenticated users to import and execute arbitrary Bash or PowerShell commands on host systems by leveraging default settings of the Autorun directory
Threat actor group, CL0P, has claimed responsibility for vulnerability exploitation with the goal of data theft
We recommend upgrading to version 5.8.0.24 immediately

Background

A zero-day vulnerability, tracked as CVE-2024-55956, was recently discovered in 3 of Cleo’s managed file transfer platforms: Cleo Harmony, VLTrader, and LexiCom. This vulnerability was found in versions of these products prior to 5.8.0.24. If exploited, CVE-2024-55956 could allow an unauthenticated user to import and execute arbitrary Bash or PowerShell commands on a host system by leveraging default settings of the Autorun directory.

Managed file transfer platforms, such as Cleo Harmony, VLTrader, and LexiCom, are leveraged by organizations to securely exchange files between their business partners and customers, making it a highly desired target for threat actors. According to their website, Cleo has approximately 4,000 customers, ranging in size and industry, including manufacturing, retail, healthcare, and logistics, among others. Cleo Harmony contains more comprehensive features and targets enterprise clients, whereas VLTrader targets mid-sized organizations, and LexiCom works primarily as a desktop-based client for interacting with major trading networks.

The threat actor CL0P has claimed responsibility for the zero-day activity pertaining to CVE-2024-55956. Initial forensic evidence indicates vulnerability exploitation began in early December 2024.

The threat actor’s ultimate goal and initial observed activity is consistent with data theft. While system compromise for further lateral movement or establishing a foothold for future pivot may be possible depending on victim network layout and internal design, it does not appear to be consistent with CL0P’s activities observed to date. Follow-on threat actors may seek to build upon the CVE, including systems that remain unpatched, for future exploitation.

In related activity, a prior disclosed vulnerability in Cleo managed file transfer products, tracked as CVE-2024-50623, was discovered and patched with 5.8.0.21 in October, but was found to be partially ineffective. This vulnerability could allow unrestricted upload and download that could lead to remote code execution (RCE).

CVE Details

CVE-2024-55956
- Publish Date: 2024-12-13
- Impacted products: Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24
- Risk: An unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory
- Recommendation: Patch impacted products to version 5.8.0.24 immediately
- Advisory: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956

CVE-2024-50623
- Publish Date: 2024-10-27
- Impacted products: Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21
- Risk: Unrestricted file upload and download vulnerability that could lead to RCE
- Recommendation: Upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) immediately
- Advisory: https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623

The information captured within is a moment in time snapshot and is subject to change as the activity associated with these CVEs continue to be analyzed and additional forensic data is reviewed.

Recommendations for CVE-2024-55956

Upgrade to version 5.8.0.24
Admins who cannot immediately upgrade are advised to disable the Autorun feature by clearing out the Autorun directory from the System Options to reduce the attack surface.
Remove affected products from the public internet and ensure they are behind a firewall wherever possible.
Conduct a forensic investigation to determine if compromise took place, if malware was left behind, and if data exfiltration occurred.

Indicators of Compromise (IOCs)

Type	Value	Comment
URL	45.182.189.102/dpixel	Cobalt Strike payload folder
SHA-256	6705eea898ef1155417361fa71b1078b7aaab61e7597d2a080aa38df4ad87b1c	Java Loader
File	healthcheck.txt	Autorun file
File	healthchecktemplate.txt	Autorun file
File	60282967-dc91-40ef-a34c-38e992509c2c.xml	XML file to prepare post-exploitation
IP	45.182.189[.]102	Cobalt Strike Server
IP	216.245.221[.]83	C2
IP	92.51.2[.]221	C2
IP	67.220.94[.]173	C2
IP	184.107.3[.]70	C2
IP	186.162.118[.]133	C2
IP	186.128.224[.]0	C2
IP	186.136.204[.]137	C2
IP	58.180.61[.]138	C2
IP	45.140.145[.]68	C2
IP	6.149.249[.]226	C2
IP	192.119.99[.]42	C2
IP	176.123.4[.]226	C2
IP	80.82.78[.]42	C2
IP	176.125.101[.]115	C2
IP	45.182.189[.]226	C2
IP	185.162.128[.]100	C2
IP	185.162.128[.]219	C2
IP	6.184.168[.]25	C2
IP	181.214.147[.]164	C2
IP	209.127.121[.]38	C2
IP	89.248.172[.]139	C2
IP	5.149.228[.]109	C2
IP	176.123.4[.]146	C2
IP	45.182.189[.]102	C2
IP	176.123.5[.]126	C2

View full post