Vulnerability in aiohttp scanned for exploit by ShadowSyndicate gang

The cybersecurity community us alerting developers to an active campaign scanning for vulnerability CVE-2024-23334 in Aiohttp framework. A group known as ShadowSyndicate has been identified as scanning for vulnerable servers, leveraging this vulnerability potentially to carry out ransomware attacks.

CVE-2024-23334 (CVSS score 7.5) is a directory traversal vulnerability which affects versions of aiohttp prior to 3.9.2. Aiohttp is an asynchronous HTTP client/server framework utilized widely across the technology sector, including by web developers, backend engineers, and data scientists, for its capability to handle a vast number of concurrent HTTP requests efficiently.

It manifests when the 'follow_symlinks' option is enabled for static routes within aiohttp, failing to adequately validate if a file path is restricted to the server's root directory. The flaw can allow unauthenticated remote attackers to exploit the vulnerability, enabling them to access arbitrary files on the server. This could potentially lead to unauthorized disclosure of sensitive information or other security breaches.

Despite the availability of this patch, the existence of a proof of concept (PoC) exploit and subsequent scanning activities have raised concerns. The cybersecurity firm Cyble notes an increase in exploitation attempts following the public release of the PoC exploit.

Users are advised to update affected systems to version 3.9.2 of aiohttp to prevent potential exploits. Additionally, aiohttp recommends using a reverse proxy server, like nginx, for handling static resources in production environments to bolster security further.