CVE-2024-49357
Published: 24 October 2024
Summary
CVE-2024-49357 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Zimaspace Zimaos. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ZimaOS, a fork of CasaOS for Zima devices and x86-64 UEFI systems, is affected by an information disclosure vulnerability in version 1.2.4 and all prior releases. Unauthenticated API endpoints such as /v1/users/image permit direct retrieval of files including /var/lib/casaos/1/app_order.json and /var/lib/casaos/1/system.json, exposing lists of installed applications and other system configuration data. The issue is tracked as CWE-200 and CWE-862 with a CVSS 3.1 score of 7.5.
An attacker with network access to the device can request these endpoints without credentials or authorization and obtain detailed knowledge of the installed software and system state. This information can be used to identify further attack paths or to tailor subsequent exploitation against the exposed services.
The referenced GitHub advisory GHSA-hg2h-q5h6-r5c4 states that no patched versions were available at the time of publication. The associated EPSS score is 0.7582 at both current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43399
Vulnerability details
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications…
more
and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandates authorization checks before permitting access or data processing via external systems.
The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.
Requiring detailed, requestable records of every PII disclosure directly aids detection of unauthorized exposures of sensitive information.
Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.