CVE-2024-12644 in tbm-clientinfo

Summary

by MITRE • 12/16/2024

The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/17/2025

The CVE-2024-12644 vulnerability affects the tbm-client application developed by Chunghwa Telecom, which operates as a local web server with exposed APIs for communication purposes. This client application creates a potential attack surface by implementing web services that lack proper authentication mechanisms and security controls. The vulnerability stems from insufficient input validation and access control measures within the API endpoints, creating a pathway for malicious actors to exploit the system without requiring valid credentials.

The technical flaw manifests through two distinct but related vulnerabilities that compound the overall risk. The first vulnerability involves the absence of Cross-Site Request Forgery (CSRF) protection mechanisms in the application's APIs, which allows unauthenticated remote attackers to leverage phishing techniques to execute malicious requests against the client. This weakness directly maps to CWE-352, which categorizes CSRF vulnerabilities as a critical security flaw that permits unauthorized actions to be performed on behalf of authenticated users. The second vulnerability represents an absolute path traversal flaw that enables attackers to manipulate file system operations through the API endpoints. This allows adversaries to copy arbitrary files from the system and write them to any location, creating potential information leakage risks and enabling denial-of-service through massive file duplication.

The operational impact of this vulnerability extends beyond simple data theft, as attackers can leverage the path traversal capability to consume significant storage space on the victim's system. This dual nature of the vulnerability creates multiple attack vectors that can be exploited in combination to cause both information disclosure and system resource exhaustion. The lack of proper API authentication and authorization controls means that any remote attacker with knowledge of the exposed endpoints can potentially execute malicious file operations without requiring legitimate user credentials. The vulnerability's exploitation through phishing techniques makes it particularly dangerous as it can be triggered by unsuspecting users who visit malicious websites or click on compromised links.

Security professionals should consider this vulnerability in the context of the ATT&CK framework, particularly under the T1566 technique for Phishing and T1078 for Valid Accounts, as it enables attackers to leverage legitimate client functionality to perform unauthorized file operations. The vulnerability's impact aligns with CWE-22, which addresses path traversal issues, and CWE-352, which covers CSRF protection failures. Organizations should implement immediate mitigations including the addition of proper CSRF tokens to all API endpoints, implementation of strict input validation for file paths, and enforcement of authentication mechanisms for all exposed web services. Network segmentation and firewall rules should be configured to restrict access to the tbm-client application's web server ports, while regular security assessments should monitor for similar vulnerabilities in other client applications.

Responsible

Twcert

Reservation

12/16/2024

Disclosure

12/16/2024

Moderation

accepted

CPE

ready

EPSS

0.00286

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!