Samsung MagicINFO Vulnerability Enables Remote Code Execution Without Authentication
At a Glance
A critical security flaw has been identified in Samsung's MagicINFO digital signage management platform.
This vulnerability allows unauthenticated attackers to execute arbitrary code with system-level privileges.
Tracked as CVE-2024-7399, the issue affects MagicINFO 9 Server versions prior to 21.1050 and has been assigned a CVSS score of 9.8, indicating maximum severity.
Technical Details
The vulnerability stems from improper input validation in the getFileFromMultipartFile method within the SWUpdateFileUploadServlet class.
Specifically, the /MagicInfo/servlet/SWUpdateFileUploader endpoint fails to properly validate user-supplied paths before using them in file operations.
Attackers can exploit this flaw by sending specially crafted HTTP requests containing path traversal sequences.
This allows them to write arbitrary files to unauthorized locations on the server.
By uploading malicious JSP files, attackers can execute arbitrary server-side code with system privileges, potentially leading to complete system compromise.
Affected Versions
- Samsung MagicINFO 9 Server versions prior to 21.1050
Mitigation
Samsung has acknowledged the vulnerability and released a patch in version 21.1050 of the MagicINFO 9 Server.
The patch modifies the verification logic of input to prevent path traversal attacks.
Recommendations
- Organizations using affected versions should update to MagicINFO 9 Server version 21.1050 or later immediately.
- Regularly audit and monitor server logs for any suspicious activities.
- Implement strict input validation and sanitization measures to prevent similar vulnerabilities.
The Bottom Line
Given the widespread use of Samsung MagicINFO for digital signage management across various industries, this vulnerability poses a significant risk.
Immediate action is required to patch affected systems and mitigate potential exploitation.