CVE-2024-10035: Bg-tek Coslat RCE Vulnerability

CVE-2024-10035 Overview

CVE-2024-10035 is a command injection vulnerability affecting BG-TEK Informatics Security Technologies CoslatV3 through version 3.1069. The flaw stems from improper neutralization of special elements used in operating system commands, classified under [CWE-77]. Authenticated local attackers can inject arbitrary OS commands and escalate privileges on affected systems. The vendor was contacted regarding this issue and confirmed the product is no longer supported, meaning no official patch will be released. Organizations running CoslatV3 must treat this as a permanent risk requiring compensating controls or product replacement.

Critical Impact

Authenticated local attackers can execute arbitrary OS commands and escalate privileges on CoslatV3 appliances through version 3.1069. No vendor patch will be released because the product is unsupported.

Affected Products

• BG-TEK Informatics Security Technologies CoslatV3 through version 3.1069
• All CoslatV3 deployments running affected firmware
• Product is end-of-life and unsupported by the vendor

Discovery Timeline

• 2024-11-04 - CVE-2024-10035 published to NVD
• 2025-10-14 - Last updated in NVD database

Technical Details for CVE-2024-10035

Vulnerability Analysis

The vulnerability resides in CoslatV3 components that pass user-controlled input to operating system command interpreters without adequate sanitization. An attacker with local access and low privileges can supply specially crafted input containing shell metacharacters such as ;, |, &&, or backticks. The application interprets these characters as command separators, executing attacker-supplied commands in the context of the underlying service. Because the affected service typically runs with elevated permissions on appliance-class devices, successful injection leads to privilege escalation. The vulnerability combines three related weaknesses: Code Injection, Command Injection, and OS Command Injection, all rooted in the same root cause of improper input neutralization.

Root Cause

The root cause is the absence of input validation and command argument sanitization in CoslatV3 functions that construct shell commands from user-supplied data. The code passes concatenated strings directly to system shell invocation primitives rather than using parameterized APIs or strict allowlists.

Attack Vector

Exploitation requires local access to the device with low-privileged authenticated credentials. The attacker submits input through an exposed interface that subsequently invokes a shell command. No user interaction beyond the attacker's own session is required. The vulnerability mechanism is documented in the USOM Security Notification TR-24-1814. Public proof-of-concept code is not currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-10035

Indicators of Compromise

• Unexpected child processes spawned by CoslatV3 service accounts, particularly shells such as /bin/sh or /bin/bash
• Outbound network connections from the appliance to unfamiliar destinations following authenticated user activity
• New or modified files in system directories outside normal update windows
• Audit log entries showing privileged operations performed by low-privileged accounts

Detection Strategies

• Monitor process execution on the appliance for shell invocations originating from CoslatV3 web or management daemons
• Inspect application and authentication logs for input strings containing shell metacharacters such as ;, |, &, $(), or backticks
• Compare baseline file integrity hashes against running system state to identify unauthorized modifications
• Correlate authenticated session activity with suspicious command execution patterns

Monitoring Recommendations

• Forward CoslatV3 system and application logs to a centralized SIEM for retention and correlation
• Enable verbose authentication logging to identify the originating account during any suspected exploitation
• Alert on privilege transitions and unexpected use of administrative utilities by service accounts
• Track network egress from the appliance to detect command-and-control traffic following exploitation

How to Mitigate CVE-2024-10035

Immediate Actions Required

• Inventory all CoslatV3 deployments and confirm firmware versions against the affected range through 3.1069
• Restrict local and management access to the appliance to a minimal set of trusted administrators
• Rotate credentials for any account capable of authenticating to CoslatV3 interfaces
• Plan migration to a supported security product, since no vendor patch will be released

Patch Information

No patch is available. The vendor confirmed that CoslatV3 is unsupported and will not receive security updates for this vulnerability. Organizations should treat continued use of CoslatV3 as accepting unmitigated risk and prioritize replacement with a vendor-supported alternative. Refer to the USOM Security Notification TR-24-1814 for the official advisory.

Workarounds

• Place CoslatV3 appliances behind network segmentation that limits administrative access to a dedicated management VLAN
• Disable or remove any unused user accounts and enforce strong, unique credentials for remaining administrators
• Apply strict access control lists on management interfaces to permit only specific source addresses
• Increase monitoring of the appliance with host and network telemetry until the product can be retired

# Configuration example: restrict management access at the network layer
# Example iptables rules on an upstream gateway
iptables -A FORWARD -s 10.10.10.0/24 -d <coslat_ip> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <coslat_ip> -p tcp --dport 443 -j DROP
iptables -A FORWARD -d <coslat_ip> -p tcp --dport 22  -j DROP