CVE-2024-11481 Overview
CVE-2024-11481 is a path traversal vulnerability affecting Trellix Enterprise Security Manager (ESM) version 11.6.10. The flaw allows unauthenticated network attackers to access the internal Snowservice API. The vulnerability stems from improper handling of path traversal sequences, insecure forwarding to an Apache JServ Protocol (AJP) backend without adequate validation, and missing authentication on internal API endpoints. Successful exploitation grants attackers access to internal API functionality that should remain inaccessible from external networks. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Unauthenticated attackers can reach internal Snowservice API endpoints over the network, leading to high integrity impact on Trellix ESM deployments.
Affected Products
- Trellix Enterprise Security Manager (ESM) 11.6.10
- Deployments exposing the Snowservice API to network-accessible interfaces
- Environments using the bundled AJP backend forwarding configuration
Discovery Timeline
- 2024-11-29 - CVE-2024-11481 published to the National Vulnerability Database (NVD)
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2024-11481
Vulnerability Analysis
The vulnerability combines three weaknesses in how Trellix ESM 11.6.10 handles requests destined for the internal Snowservice API. First, the front-end request handler fails to normalize and validate path components, allowing traversal sequences to influence routing decisions. Second, requests are forwarded to an AJP backend without sufficient validation of the resolved path or the request origin. Third, the Snowservice API endpoints accept these forwarded requests without enforcing authentication, treating them as trusted internal traffic.
The combination converts what should be an internal service interface into a network-reachable attack surface. Attackers do not require credentials, user interaction, or local access to reach the affected functionality.
Root Cause
The root cause is a path traversal flaw [CWE-22] in the request routing layer that fails to sanitize input before forwarding to the AJP connector. The Snowservice API was designed under the assumption that only authenticated, internal callers would reach its endpoints. When the front-end proxy forwards traversed paths, the API trusts the request and processes it without authentication checks.
Attack Vector
An attacker sends a crafted HTTP request containing path traversal sequences to the ESM management interface. The front-end handler resolves the path in a way that causes the request to be forwarded over AJP to the Snowservice API. Because the API endpoint applies no authentication, the attacker invokes internal operations directly. No verified public proof-of-concept code is currently available. Refer to the Trellix Security Article for vendor technical details.
Detection Methods for CVE-2024-11481
Indicators of Compromise
- HTTP requests containing path traversal sequences such as ../, ..%2f, or encoded variants targeting ESM management endpoints
- Unexpected AJP connector traffic referencing Snowservice API paths from external source addresses
- Access log entries showing successful responses from internal API endpoints without preceding authentication events
Detection Strategies
- Inspect ESM web server access logs for traversal patterns directed at URIs that resolve to internal services
- Correlate AJP backend logs with front-end request logs to identify forwarded requests that bypass authentication middleware
- Deploy web application firewall (WAF) signatures that flag traversal sequences and direct Snowservice API references
Monitoring Recommendations
- Enable verbose request logging on the ESM front-end and retain logs in a centralized location for correlation
- Alert on any successful HTTP 200 responses to Snowservice endpoints originating from non-loopback addresses
- Monitor the ESM host for anomalous configuration changes or data export activity following suspicious requests
How to Mitigate CVE-2024-11481
Immediate Actions Required
- Upgrade Trellix ESM to a fixed version per the vendor advisory at Trellix Security Article
- Restrict network access to the ESM management interface using firewall rules that limit source addresses to trusted administrative networks
- Audit ESM access logs for evidence of path traversal attempts against Snowservice endpoints prior to patching
Patch Information
Trellix has published remediation guidance for CVE-2024-11481 in knowledge base article 000014058. Administrators running ESM 11.6.10 should apply the vendor-supplied update as soon as feasible. Confirm version information after patching to ensure the fix is applied.
Workarounds
- Place the ESM management interface behind a reverse proxy or WAF that blocks path traversal sequences before they reach the application
- Apply network segmentation to ensure the Snowservice API and AJP connector are not reachable from untrusted networks
- Disable or filter the AJP connector at the network layer if it is not required for the deployment
# Example: restrict ESM management interface access with iptables
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Example: block AJP connector exposure (default port 8009)
iptables -A INPUT -p tcp --dport 8009 ! -s 127.0.0.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
