7.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-32656

GHSA ID

GHSA-qwhw-hh9j-54f5

EPSS Score

0.11584%

CWE

CWE-862

Published

4/22/2024

Updated

4/23/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32656

CVE-2024-32656: Ant Media Server vulnerable to a local privilege escalation

Impact

We have identified a local privilege escalation vulnerability in Ant Media Server which allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the “antmedia” service account on the system.

Patches

2.9.0

Workarounds

Remote the following parameters from antmedia.service file

-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=5599 -Dcom.sun.management.jmxremote.local.only=true -Dcom.sun.management.jmxremote.host=127.0.0.1 -Djava.rmi.server.hostname=127.0.0.1 -Djava.rmi.server.useLocalHostname=true -Dcom.sun.management.jmxremote.rmi.port=5599

Thank you Adam Crosser for reporting the issue Local Privilege Escalation via Unauthenticated JMX Remote Management Interface (1).pdf

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-32656

CVE-2024-32656:

7.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-32656

GHSA ID

GHSA-qwhw-hh9j-54f5

EPSS Score

0.11584%

CWE

CWE-862

Published

4/22/2024

Updated

4/23/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.antmedia:ant-media-server	maven	>= 2.6.0, < 2.9.0	2.9.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure JMX configuration parameters in the systemd service file (antmedia.service), not from specific code functions. The Java process was started with JMX enabled (-Dcom.sun.management.jmxremote) without authentication (-Dcom.sun.management.jmxremote.authenticate=false) or SSL (-Dcom.sun.management.jmxremote.ssl=false). While the MLet bean in JMX is the exploitation mechanism, it's part of the Java platform rather than Ant Media Server's codebase. The root cause is the insecure configuration in the service definition, not a specific function in the application code. No application-layer functions were modified in the patch - the fix involved removing JVM flags from the service template.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-32656: Ant Media Server vulnerable to a local privilege escalation

Impact

Patches

Workarounds

CVE-2024-32656:

7.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.8

7.8

Basic Information

Basic Information

CVE-2024-32656: Ant Media Server vulnerable to a local privilege escalation

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI