CVE-2024-41922 Overview
CVE-2024-41922 is a directory traversal vulnerability in the log files download functionality of Veertu Anka Build Cloud version 1.42.0. An unauthenticated attacker can send a specially crafted HTTP request to read arbitrary files from the underlying host. The flaw is tracked under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Successful exploitation discloses sensitive information such as configuration files, credentials, and system data accessible to the service account. Because authentication is not required and the attack vector is network-based, internet-exposed Anka Build Cloud controllers face direct risk.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from the Anka Build Cloud host through a single crafted HTTP request, exposing secrets and configuration data.
Affected Products
- Veertu Anka Build Cloud 1.42.0
- Anka Build Cloud controller log download endpoint
- Deployments exposing the Anka Build Cloud web interface to untrusted networks
Discovery Timeline
- 2024-10-03 - CVE-2024-41922 published to NVD
- 2024-12-18 - Last updated in NVD database
Technical Details for CVE-2024-41922
Vulnerability Analysis
The vulnerability exists in the log files download handler exposed by the Anka Build Cloud controller. The endpoint accepts a file path parameter that is concatenated into a filesystem lookup without proper canonicalization or validation. An attacker can supply traversal sequences such as ../ to escape the intended log directory and reach arbitrary files. The endpoint does not enforce authentication, so any network-reachable client can trigger the behavior. Disclosed files may include the macOS host's configuration data, service credentials, API tokens, and other artifacts readable by the controller process. The EPSS score of 5.242% places this issue in the 90th percentile for exploitation likelihood.
Root Cause
The root cause is improper input validation on a user-controlled path component in the log download route. The application trusts the supplied filename and resolves it relative to a base directory without rejecting parent-directory references or normalized paths that escape the intended root. This is a textbook [CWE-22] directory traversal pattern combined with missing authentication on a sensitive administrative endpoint.
Attack Vector
Exploitation requires only network access to the controller's HTTP service. An attacker issues a single GET request to the log download endpoint with traversal sequences in the path parameter. No credentials, user interaction, or prior foothold are needed. The server reads the targeted file and returns its contents in the HTTP response. Repeated requests allow enumeration of arbitrary files accessible to the controller process, including those storing secrets used to manage virtual machine fleets.
A detailed technical writeup is available in the Talos Intelligence Vulnerability Report TALOS-2024-2061.
Detection Methods for CVE-2024-41922
Indicators of Compromise
- HTTP requests to Anka Build Cloud log download URLs containing ../, ..%2f, or encoded traversal sequences in query or path parameters
- Outbound responses from the controller containing contents of files outside the configured log directory, such as /etc/passwd, SSH keys, or anka configuration files
- Unauthenticated requests to log endpoints from unexpected source IP addresses
Detection Strategies
- Inspect controller access logs for path traversal patterns targeting the log download route on port used by the Anka Build Cloud web UI
- Deploy web application firewall rules that block traversal sequences and double-encoded variants on the controller endpoints
- Correlate unauthenticated log endpoint access with subsequent reads of large or unusual file sizes returned by the controller
Monitoring Recommendations
- Centralize Anka Build Cloud controller HTTP logs in a SIEM and alert on traversal indicators in URI paths
- Baseline normal log download activity and flag requests from non-administrator source addresses or outside maintenance windows
- Monitor host filesystem access by the controller process for reads outside the expected log directory tree
How to Mitigate CVE-2024-41922
Immediate Actions Required
- Restrict network access to the Anka Build Cloud controller so only trusted administrative networks can reach the HTTP service
- Upgrade Veertu Anka Build Cloud beyond version 1.42.0 once a fixed release is available from the vendor
- Rotate any credentials, API tokens, or keys stored on the controller host that may have been exposed through log download abuse
Patch Information
Review the Talos Intelligence advisory TALOS-2024-2061 and Veertu's release notes for fixed Anka Build Cloud versions. Apply vendor-provided updates that add path canonicalization and authentication on the log download endpoint. After patching, verify the fix by issuing test requests containing traversal sequences and confirming the controller rejects them.
Workarounds
- Place the controller behind a reverse proxy or WAF that strips or blocks .., %2e%2e, and other traversal patterns in request URIs
- Enforce network-level access controls such as VPN, firewall allowlists, or zero-trust gateways in front of the controller
- Disable or restrict the log download functionality at the proxy layer until a patched release is deployed
# Example nginx reverse proxy rule blocking traversal sequences
location / {
if ($request_uri ~* "(\.\./|\.\.%2f|%2e%2e/|%2e%2e%2f)") {
return 403;
}
proxy_pass http://anka-controller-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
