Vulnerability Description
A vulnerability has been identified in the CTERA Edge Filer user interface, involving a Cross-site Request Forgery (CSRF) attack vector that allows privilege escalation. The likelihood of exploiting this vulnerability is considered low since the attack requires an administrator to click on a malicious link provided by an attacker, while being logged on to the CTERA Edge Filer administrator interface.
This issue was identified during routine penetration testing. CTERA is not aware of this vulnerability having been exploited in the wild.
Vulnerability Details
Publication Date: October 8, 2024
CTERA CVSS Score 7.7
CVSS v3.1 Vector: AV/AC/PR/UI/S/C/I/A/E/RL/RC
Affected CTERA Products
All versions of CTERA Edge Filer 7.x prior to version 7.8.4300.24 (released at the beginning of October 2024)
Analysis
This vulnerability allows an attacker to escalate privileges by exploiting the CSRF attack vector on affected systems. Successful exploitation can result in unauthorized access to sensitive information and potentially full system compromise. The attack requires an administrator to click on a malicious link provided by an attacker, while being logged on to the CTERA Edge filer administrator interface.
All CTERA products other than the specific CTERA Edge Filer versions listed above are not affected.
Permanent Solution
CTERA has released CTERA Edge Filer version 7.8.4300.24, which contains a fix for this issue.
CTERA recommends applying this software update to maintain security and operational integrity. If an upgrade is not possible immediately, it is advisable to warn administrators not to click on suspicious links leading to the CTERA Edge Filer interface.
For any further assistance or inquiries, please contact CTERA support.