Tech Stack

• Affected Products:
  • Cleo Harmony (versions before 5.8.0.21)
  • VLTrader (versions before 5.8.0.21)
  • LexiCom (versions before 5.8.0.21)

---

Date(s) Issued

• Published: October 27, 2024
• Updated: November 15, 2024

---

Criticality

• Severity Rating: High
• Potential Impact: Exploitation of the vulnerability allows an attacker to upload and download files without restriction, which can lead to Remote Code Execution (RCE).

---

Overview

This vulnerability stems from insufficient validation or controls over file upload and download mechanisms in affected Cleo products. By exploiting this flaw, attackers can upload malicious files or download sensitive files, potentially gaining unauthorized access to execute arbitrary code on the system. This could result in a breach of confidentiality, integrity, and availability.

---

Solution and Mitigation Steps

1. Upgrade Affected Software

Cleo has addressed this vulnerability in versions 5.8.0.21 and above for the following products:

• Cleo Harmony
• VLTrader
• LexiCom

Action:

• Download and install the latest version of the software from Cleo’s official support page: Cleo Product Security Advisory.

2. Implement Temporary Measures (if upgrade is not immediately feasible)

If immediate upgrades are not possible, apply the following mitigations:

• Restrict File Uploads:
  • Configure file upload policies to only allow specific file types and verify their integrity.
  • Implement checksum or hash validation on uploaded files.
• Restrict File Downloads:
  • Ensure only authorized users have download permissions.
  • Restrict download paths to prevent exposure of sensitive files.
• Sanitize Inputs:
  • Validate all user inputs for file paths to prevent directory traversal attacks.
  • Use strong validation libraries or tools to enforce secure file handling.

3. Monitor System Activity

• Regularly monitor system logs for suspicious upload or download activity.
• Set up alerts for anomalous activities such as unexpected file uploads or downloads by unauthorized user.

4. Network Segmentation

• Segment the affected systems from other critical infrastructure to minimize the blast radius in case of exploitation.
• Implement firewalls and enforce the principle of least privilege for network access.

5. Secure Backups

• Ensure regular, secure backups of all critical data. This enables recovery in the event of malicious file activity or data corruption.

---

Confirmation & Additional Information

Verify Mitigation Implementation

• Post-Upgrade: Confirm that the installed version is 5.8.0.21 or higher by checking the product version in the admin console or CLI.
• Testing: Conduct penetration testing to ensure file upload/download paths are secure.

Stay Updated

• Regularly check Cleo’s official advisories and release notes for updates: Cleo Product Security Advisory.

Additional Resources

Security Best Practices for Cleo Products: Refer to Cleo’s documentation for detailed hardening steps.

Cleo Customer Support: Support Portal