CVE-2024-53355
Published: 31 January 2025
Summary
CVE-2024-53355 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Easyvirt Co2Scope. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Permission Groups Discovery (T1069); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations on API routes, directly preventing low-privilege authenticated attackers from performing unauthorized user, group, and role management operations.
AC-6 enforces least privilege, blocking low-privilege users from executing administrative actions like adding admin users or modifying roles via vulnerable endpoints.
AC-2 requires proper management of accounts, groups, and roles, ensuring only authorized personnel can perform creation, modification, and deletion operations exploited in this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables low-privileged users to enumerate (discovery), create, modify, and delete users/groups/roles via API endpoints, mapping to permission groups/account discovery, account creation/manipulation, and account access removal.
NVD Description
Multiple incorrect access control issues in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers, with low privileges, to (1) add an admin user via the /api/user/addalias route; (2) modifiy a user via the /api/user/updatealias route; (4)…
more
delete users via the /api/user/delalias route; (4) get users via the /api/user/aliases route; (5) add a root group via the /api/user/adduser route; (6) modifiy a group via the /api/user/updateuser route; (7) delete a group via the /api/user/deluser route; (8) get groups via the /api/user/users route; (9) add an admin role via the /api/user/addrole route; (10) modifiy a role via the /api/user/updaterole route; (11) delete a role via the /api/user/delrole route; (12) get roles via the /api/user/roles route.
Deeper analysisAI
CVE-2024-53355 consists of multiple incorrect access control issues (CWE-281) in EasyVirt DCScope versions up to and including 8.6.0 and CO2Scope versions up to and including 1.3.0. These vulnerabilities enable unauthorized operations on user, group, and role management through specific API routes, including adding admin users via /api/user/addalias, modifying users via /api/user/updatealias, deleting users via /api/user/delalias, retrieving users via /api/user/aliases, adding root groups via /api/user/adduser, modifying groups via /api/user/updateuser, deleting groups via /api/user/deluser, retrieving groups via /api/user/users, adding admin roles via /api/user/addrole, modifying roles via /api/user/updaterole, deleting roles via /api/user/delrole, and retrieving roles via /api/user/roles.
Remote authenticated attackers with low privileges can exploit these issues over the network with low complexity and no user interaction required. Successful exploitation grants the ability to fully manipulate the user database, including creating admin accounts, altering privileges, and deleting entities, as well as similar control over groups and roles. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, potentially allowing privilege escalation to administrative control.
Advisories and additional details are documented at https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53355.md.
Details
- CWE(s)