Fixed status of CVE-2024-7437, CVE-2024-7438, CVE-2025-2582 and CVE-2025-2583?

Started by nfpuu1u, March 23, 2025, 07:40:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

nfpuu1u

March 23, 2025, 07:40:49 AM
I saw a few CVEs got published recently (two in August 2024 and two a few days ago):

https://www.cve.org/CVERecord?id=CVE-2024-7437
https://www.cve.org/CVERecord?id=CVE-2024-7438
https://www.cve.org/CVERecord?id=CVE-2025-2582
https://www.cve.org/CVERecord?id=CVE-2025-2583

QuoteCVE-2024-7437
A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2024-7438
A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-2582
A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

CVE-2025-2583
A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

but can't find any info here or eg. at https://github.com/search?q=org%3ASimpleMachines%20CVE-2025-2583&type=code

Are these valid (see "vendor contacted early" in two above) and if so what's the fixed status of these?

shawnb61

#2
March 23, 2025, 02:12:01 PM Last Edit: March 23, 2025, 03:07:54 PM by shawnb61
I am not sure you should expect an official response, so let me share an unofficial one...

The SMF team takes security very seriously, which is why it is consistently rated higher than other forums for security.  When a security report comes in, it is treated with priority.  There is internal discussion on validity & approach, & fixes are made where appropriate.

The team does not publicly discuss specific CVEs and versions.  I hope the reason is obvious - if it became clear that a specific attack was confirmed for a specific version, it would be open season on all sites running that version.  The muted discussion protects SMF users & sites.

Note that GitHub allows security fixes to be done in private for the reasons noted above.  You won't find 'em via search.

When fixes are made, you will see a vague "security improvements" in the release notes.  If you see "security improvements" or similar in the release notes, that pretty much means you're getting current on known, real, validated issues by applying the patch.

If security is important to you, the best rule to follow is to stay current.

If you think you have found a valid security issue, report it via the security form:
https://www.simplemachines.org/about/smf/security.php

Some thoughts on CVEs...

Personally, I think the process has degraded in recent years.  There is a "RESERVED" status that was once intended to allow the team time to respond & address - in private - for exactly the reasons specified above.  It feels like that is bypassed for unknown reasons lately.  They continue to make changes in an effort to provide more transparency, but at the same time, that transparency can be dangerous to actual users.

What's worse is there are so many bounty programs out there, folks feel encouraged to submit to retrieve a bounty.  Which is a highly questionable practice.  Again, (hopefully) good intentions, but questionable results.  The team can spend a lot of time chasing chimeras...

Some of the SMF CVEs I've seen I think are questionable because to execute the exploit, you need admin access (some in the list above are like that).  There are some admin panel screens that allow you to enter internal settings or even sometimes edit code (language strings, theme updates).  Some of the CVEs reflect that an admin can enter malicious code there....

But...  If only an admin can do it, is that even an exploit?

In a similar vein, some of the reports assume others can obtain easy access to your session to do horizontal exploits.  SMF does as good as anyone protecting your session today, IMO. 

Anyway, FWIW, the above opinions are my own.
A question worth asking is born in experience & driven by necessity. - Fripp

nfpuu1u

#3
March 23, 2025, 04:01:30 PM
Thanks for the response.

Note that i'm not the one who found or disclosed the vulnerabilities but just was worried that some of the CVEs mentioned that the exploit was disclosed publicly and as everything is already public (with indeed some strange practices it seems) and i'm not sure if i'm as a user is affected and there is something i can do to mitigate the flaws.

Especially as the ones which are mention public available exploits are already public since around seven months (since 2024-08-03).

Sesquipedalian

#4
March 25, 2025, 07:57:45 PM
Quote from: shawnb61 on March 23, 2025, 02:12:01 PMSome of the SMF CVEs I've seen I think are questionable because to execute the exploit, you need admin access (some in the list above are like that).  There are some admin panel screens that allow you to enter internal settings or even sometimes edit code (language strings, theme updates).  Some of the CVEs reflect that an admin can enter malicious code there....

But...  If only an admin can do it, is that even an exploit?

This is, in fact, very similar to our responses to vuldb.com before they decided to publish anyway.

While they acknowledged that only an administrator could perform these actions, they argued that "A malicious administrator or a compromised administrator account could use the possibilities to attack others," and that this counts as a vulnerability according to their definitions.

Our view is that, if this is the criteria they are using, then any and every FTP server, SSH server, FileManager, and CMS with the ability to modify files should be likewise flagged as a security vulnerability. After all, if a malicious actor has SSH access to a server, that malicious actor can put nasty scripts on the server in order to attack others. But that's not a software vulnerability in SSH; it's a social vulnerability among humans. The only solution, whether one is talking about an SSH account or administrator privileges on an SMF forum, is to not give that kind of access to anyone unless you fully and utterly trust them.
I promise you nothing.
Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

shawnb61

#5
March 25, 2025, 09:32:50 PM
It's like saying Fort Knox has a security problem, because if a bad actor somehow got inside, they could commit vandalism...
A question worth asking is born in experience & driven by necessity. - Fripp

iasdeoupxe

#6
April 19, 2025, 07:28:13 AM
Thanks again for the responses. Unfortunately i'm not really familiar with such topics so please bear with me but i would like to have two very simple and short answers to these questions:
  • Is my server in general or my users at risk?
  • And if so: When is a fix expected / how can i protect them?

vbgamer45

#7
April 19, 2025, 07:42:12 AM
Speaking just based on my reading of them no.  These are mostly admin side issues that would be hard to execute. The other two are user alerts which have almost no impact.
Community Suite for SMF - Grow your forum with SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com - Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Kindred

#8
April 19, 2025, 01:01:30 PM
Basically: most reports these days are reported that it is possible for someone with admin rights to do bad things.

That is absolutely true.
Someone with admin rights, in practically ANY system, can upload a malicious script.
The solution is simple and requires no patch --- don't give admin rights to anyone you don't trust
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

iasdeoupxe

#9
April 19, 2025, 02:02:09 PM
Thanks to both of you for your replies, i hope these are also clarifying the concerns of the OP as well.

It seems to me this hxxp:vuldb.com [nonactive] seems to be not that a reliable source if they mention "critical" and "public exploit" but then it turns out that it is not critical at all.  :(

LiroyvH

#10
April 19, 2025, 04:25:06 PM
Quote from: iasdeoupxe on April 19, 2025, 07:28:13 AMThanks again for the responses. Unfortunately i'm not really familiar with such topics so please bear with me but i would like to have two very simple and short answers to these questions:
  • Is my server in general or my users at risk?
  • And if so: When is a fix expected / how can i protect them?

If you use a strong username and password for your Administrator account, and it is strongly encouraged to also enable 2FA as it offers a strong extra barrier, then you're good. These reports appear to consider features of the software that are locked behind administrator authentication as security vulnerabilities.

However, if you're concerned - there's always something extra you can do: it is possible to further harden your website files (not just the forum, this goes for any fils/folder) by configuring file permissions (CHMOD) in a restrictive manner. This causes features such as the Package Manager and Theme Manager to be "locked" and if you wish to use them you'd have to (temporarily) set less restrictive file permissions whilst you use the feature. Note that the attachment folder(s) does need write permissions if you want users to be able to upload pictures, files, etc. and if you 'lock' Settings.php then you can't change certain settings from within the admin panel.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.
Print
Go Up Pages1
User actions
Advertisement: