CVE-2024-0336 Overview
CVE-2024-0336 is a missing authentication vulnerability [CWE-306] affecting EMTA Grup PDKS, a personnel attendance tracking system. The flaw allows remote attackers to exploit incorrectly configured access control security levels without valid credentials. Affected versions span from V3.04 to releases before 20240603. The vendor was contacted before public disclosure but did not respond, leaving administrators reliant on third-party guidance. The vulnerability carries a CVSS 4.0 base score of 9.4, reflecting network-reachable exploitation and high impact on confidentiality, integrity, and availability of both the vulnerable component and downstream systems.
Critical Impact
Remote attackers can access critical PDKS functions without authentication, compromising attendance records, personnel data, and access control decisions.
Affected Products
- EMTA Grup PDKS from V3.04 before 20240603
- Personnel attendance and access control deployments using vulnerable PDKS builds
- Integrated systems consuming PDKS access decisions or attendance data
Discovery Timeline
- 2024-06-03 - CVE-2024-0336 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-0336
Vulnerability Analysis
The vulnerability stems from missing authentication on critical functions within EMTA Grup PDKS. Attackers reach exposed functionality over the network without supplying credentials or completing an authentication challenge. Once invoked, these functions perform actions that should require an authenticated, authorized session.
Because PDKS handles attendance recording and access control logic, unauthenticated access translates directly into integrity loss across business workflows. Attackers can read sensitive personnel data, alter attendance entries, or manipulate access decisions affecting physical or logical resources. The flaw also produces scope changes, impacting systems that trust PDKS as an authoritative source.
Root Cause
The root cause is an incorrectly configured access control layer that does not enforce authentication on functions classified as critical [CWE-306]. The application exposes endpoints or interfaces that presume a trusted caller without validating identity. This design defect bypasses any session, token, or role check that would normally gate sensitive operations.
Attack Vector
Exploitation requires only network reachability to the PDKS service. An attacker sends crafted requests to the exposed critical functions and receives privileged responses or triggers privileged actions. No prior account, social engineering, or user interaction is required. Internet-exposed instances are immediately at risk, and internal-only deployments remain exposed to insiders and to attackers who have established any foothold on the network.
No verified public exploit code is currently catalogued for this CVE. See the USOM Security Notification TR-24-0600 for advisory details.
Detection Methods for CVE-2024-0336
Indicators of Compromise
- Unauthenticated HTTP or HTTPS requests reaching PDKS administrative or API endpoints from unexpected source addresses
- Attendance records, user records, or access permissions modified outside normal operator workflows or business hours
- Application logs showing successful critical-function invocations without a preceding authentication event
Detection Strategies
- Inspect PDKS web server access logs for direct requests to sensitive paths that bypass login flows
- Correlate database write operations on PDKS tables with authenticated session identifiers to find orphaned changes
- Deploy network detection rules that flag external traffic to PDKS management interfaces
Monitoring Recommendations
- Forward PDKS application, web server, and database audit logs to a centralized analytics platform for retention and correlation
- Alert on configuration changes to user accounts, roles, and access control policies within PDKS
- Monitor for new outbound connections from the PDKS host that could indicate post-exploitation activity
How to Mitigate CVE-2024-0336
Immediate Actions Required
- Restrict network access to PDKS interfaces using firewall rules, VPN access, or IP allowlists until a fixed build is deployed
- Audit PDKS user accounts, role assignments, and recent attendance or access changes for unauthorized modifications
- Place PDKS behind an authenticating reverse proxy that enforces identity before requests reach the application
Patch Information
The vendor advisory references a fixed build identified as 20240603. Administrators should upgrade EMTA Grup PDKS to a release at or after this build. Because the vendor did not respond to the disclosure, confirm patch availability and integrity directly with EMTA Grup and consult the USOM Security Notification TR-24-0600 for current guidance.
Workarounds
- Isolate PDKS on a dedicated management VLAN with strict ingress filtering
- Require client certificate authentication or single sign-on at a reverse proxy in front of PDKS
- Disable or block any PDKS endpoints not required for daily operations to reduce attack surface
# Configuration example: restrict PDKS access at the network edge
# Replace interface, source, and destination with values for your environment
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
