CVE-2024-12644 Overview
CVE-2024-12644 affects the tbm-client application from Chunghwa Telecom. The application runs a local web server that exposes APIs for communicating with a target website. These APIs lack Cross-Site Request Forgery (CSRF) protection, allowing unauthenticated remote attackers to invoke them through phishing pages. One of the exposed APIs also contains an Absolute Path Traversal flaw [CWE-36]. Attackers can copy arbitrary files from a victim's system and write them to any path on disk. The flaw enables information disclosure and storage exhaustion through bulk file copying.
Critical Impact
Remote attackers can abuse the local API via phishing to copy arbitrary files on a victim's machine, leading to information leakage and disk resource exhaustion.
Affected Products
- Chunghwa Telecom tbm-client
- Local web server component shipped with tbm-client
- Endpoints communicating with the target website via the unauthenticated API
Discovery Timeline
- 2024-12-16 - CVE-2024-12644 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12644
Vulnerability Analysis
The tbm-client installs a local HTTP server bound to the user's machine. The server exposes APIs intended for browser-based communication with the upstream Chunghwa Telecom service. Because the APIs do not validate the origin of incoming requests, any web page the user visits can issue requests to the local listener. This violates the same-origin trust boundary the application implicitly relies on. A phishing page is sufficient to trigger the vulnerable endpoints with no additional authentication.
One endpoint accepts file path parameters used in a copy operation. The endpoint does not validate or canonicalize the supplied paths. Attackers can supply absolute paths that point outside any intended working directory.
Root Cause
The root cause is twofold. First, the local APIs omit CSRF tokens, origin checks, and authentication. Second, the file-handling API performs file copy operations using attacker-controlled absolute paths without sanitization, matching the pattern described by CWE-36 Absolute Path Traversal.
Attack Vector
Exploitation requires user interaction: the victim must visit an attacker-controlled web page while tbm-client is running. The malicious page issues cross-origin requests to the local API endpoint. The API then copies arbitrary files from a source path to a destination path chosen by the attacker. The attacker can read sensitive files by relocating them into a path the browser can later access, or fill storage by copying large files repeatedly. No vendor-confirmed exploit code is publicly available. See the TW-CERT Security Notification for vendor guidance.
Detection Methods for CVE-2024-12644
Indicators of Compromise
- Unexpected outbound HTTP requests from a browser process to the local loopback port used by tbm-client.
- File copy operations originating from the tbm-client process targeting paths outside its installation directory.
- Sudden growth of duplicated files on user systems where tbm-client is installed.
Detection Strategies
- Monitor process telemetry for tbm-client performing file write operations to user profile directories or system paths.
- Inspect browser referrer chains preceding file activity by the local client to identify phishing-driven triggers.
- Alert on local HTTP requests to the tbm-client listener that originate from non-Chunghwa Telecom domains.
Monitoring Recommendations
- Capture endpoint file system events for the tbm-client process and forward them to a centralized log store for correlation.
- Baseline normal API call patterns to the local listener and alert on deviation in request volume or source origin.
- Review web proxy logs for user visits to suspicious domains that immediately precede local file activity.
How to Mitigate CVE-2024-12644
Immediate Actions Required
- Uninstall or disable tbm-client until a fixed version is deployed if the application is not required for daily operations.
- Apply the vendor update referenced in the TW-CERT Risk Advisory as soon as it becomes available.
- Block known phishing infrastructure at the web proxy and DNS layers to reduce the likelihood of user interaction.
Patch Information
Chunghwa Telecom has issued guidance through TW-CERT. Administrators should consult the TW-CERT Security Notification for the latest patched version and upgrade instructions. No specific patched build identifier is listed in the NVD record.
Workarounds
- Restrict the local listener with a host firewall rule allowing only the trusted browser process or specific origins.
- Close the tbm-client application when it is not actively in use to remove the local attack surface.
- Train users to recognize phishing pages that may target locally exposed services.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
