CVE-2024-11664 Overview
CVE-2024-11664 is a path traversal vulnerability in eNMS versions up to 4.2. The flaw resides in the multiselect_filtering function within eNMS/controller.py, which is part of the TGZ File Handler component. Attackers can manipulate filename inputs to traverse outside the intended directory structure [CWE-22]. The vulnerability is exploitable remotely over the network and requires only low-privileged authentication. Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed eNMS instances. The maintainers have published a fix in commit 22b0b443acca740fc83b5544165c1f53eff3f529.
Critical Impact
Authenticated remote attackers can read, write, or overwrite files outside the intended directory, leading to compromise of confidentiality, integrity, and availability of the eNMS host.
Affected Products
- eNMS versions up to and including 4.2
- Deployments using the TGZ File Handler component
- Self-hosted eNMS network automation instances exposed to authenticated users
Discovery Timeline
- 2024-11-25 - CVE-2024-11664 published to NVD
- 2024-12-04 - Last updated in NVD database
Technical Details for CVE-2024-11664
Vulnerability Analysis
The vulnerability exists in the multiselect_filtering function of eNMS/controller.py, which handles TGZ archive operations. The function fails to validate or sanitize file path inputs before processing them. Attackers supply crafted path components, such as ../ sequences, to escape the application's intended working directory. Successful exploitation allows arbitrary file read or write across the filesystem accessible to the eNMS service account.
eNMS is a network automation platform used to manage and configure network devices. Compromise of an eNMS host can cascade into broader network infrastructure exposure, since the platform typically stores device credentials and configuration data.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The TGZ File Handler accepts filename parameters from authenticated requests and passes them to filesystem operations without canonicalization or validation against an allow-list of permitted paths.
Attack Vector
Exploitation occurs over the network against the eNMS web interface. An attacker with valid low-privilege credentials submits a request to the affected endpoint containing manipulated path traversal sequences in the file parameter. The application resolves the path relative to filesystem locations outside the intended TGZ working directory. Depending on the operation invoked, the attacker can read sensitive configuration files, overwrite executable code, or place files in locations leveraged for further code execution.
The vulnerability mechanism is described in the upstream eNMS Pull Request #419 and the corresponding patch commit. No verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2024-11664
Indicators of Compromise
- HTTP requests to eNMS endpoints containing ../, ..\, URL-encoded %2e%2e%2f, or other path traversal sequences in filename parameters
- TGZ archive uploads or processing requests referencing files outside the eNMS working directory
- Unexpected file modifications in eNMS application directories, system configuration paths, or user home directories
- eNMS process activity reading or writing files unrelated to its normal automation workflows
Detection Strategies
- Inspect web server and reverse proxy logs for requests to multiselect_filtering endpoints containing traversal patterns
- Monitor file integrity of the eNMS installation directory and adjacent paths for unauthorized modifications
- Audit authenticated user sessions for anomalous TGZ file handler activity
Monitoring Recommendations
- Enable verbose application logging for the eNMS controller and forward logs to a centralized analytics platform
- Alert on filesystem access by the eNMS service account outside its documented working directories
- Track failed and successful authentication events preceding TGZ handler usage to identify credential-based attack patterns
How to Mitigate CVE-2024-11664
Immediate Actions Required
- Apply the upstream patch from commit 22b0b443acca740fc83b5544165c1f53eff3f529 or upgrade to a fixed eNMS release
- Restrict network access to the eNMS web interface using firewall rules or a VPN gateway
- Audit eNMS user accounts and remove unnecessary low-privilege accounts that could be leveraged for exploitation
- Review filesystem and application logs for prior indicators of path traversal activity
Patch Information
The maintainers addressed the issue in Pull Request #419 with commit 22b0b443. The fix introduces path validation in the multiselect_filtering function to prevent traversal outside the intended directory. Administrators running eNMS 4.2 or earlier should apply the patch or upgrade to a release containing the commit.
Workarounds
- Disable or restrict access to the TGZ File Handler functionality if it is not operationally required
- Enforce strict role-based access control to limit which authenticated users can invoke file handling endpoints
- Deploy a web application firewall rule that blocks requests containing path traversal sequences targeting eNMS endpoints
- Run the eNMS process under a dedicated low-privilege account with filesystem permissions restricted to required directories
# Example: apply the upstream patch to an existing eNMS deployment
cd /opt/eNMS
git fetch origin
git cherry-pick 22b0b443acca740fc83b5544165c1f53eff3f529
systemctl restart enms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
