🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Emerging Threats
mins read

Appsmith Patches Full-Read SSRF Vulnerabilities Reported by CloudSEK

Appsmith Patches Full-Read SSRF Vulnerabilities Reported by CloudSEK

October 4, 2022
Green Alert
Last Update posted on
February 3, 2024
Keep your web applications secure from vulnerabilities.

A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj

Executive Summary

THREAT IMPACT MITIGATION

CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299).

The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment.

Introduction

In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.

Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.

SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.

What is Appsmith

Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.

How does Appsmith work?

Appsmith dashboards and panels can be set up in 4 steps:

  • Connect Datasource: Integrate with a data source such as a database or an API. Appsmith has plug-and-play support for many databases and RESTful API interface to connect with most tools.
  • Build UI: Use customizable built-in widgets to build an app layout.
  • Access Data: Connect UI to the data source by writing queries and binding the data to widgets.
  • Collaborate, Deploy, and Share: It supports version control with Git, to track changes, create rollbacks, and to collaborate using git branches. Deploy the app and share it with other users.

SSRF Vulnerability in Appsmith’s REST Client (CVSS:3.0 Score: 8.8)

One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.

Appsmith REST API
Appsmith REST API

 

On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.

Error while accessing AWS metadata
Error while accessing AWS metadata

 

Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.

private static final Set<String> DISALLOWED_HOSTS = Set.of(
"169.254.169.254",
"metadata.google.internal"
);

List of Disallowed Domains

final String host = uri.getHost();
if (StringUtils.isEmpty(host)
|| DISALLOWED_HOSTS.contains(host)
|| DISALLOWED_HOSTS.contains(InetAddress.getByName(host).getHostAddress())) {
errorResult.setBody(AppsmithPluginError.PLUGIN_EXECUTE_ARGUMENT_ERROR.getMessage("Host not allowed."));
errorResult.setRequest(actionExecutionRequest);
return Mono.just(errorResult);
}

Condition to validate hostname

In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.

So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:

<?php
$server = $_GET["server"];
if($server == "gcp") {
header("Location: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/");
}
elseif($server == "aws") {
header("Location: http://169.254.169.254/latest/meta-data/");
}
?>

Redirect.php file content

Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.

AWS security credentials of self-hosted Appsmith Cloud
AWS security credentials of self-hosted Appsmith Cloud

 

GCP metadata were fetched from the GCP compute engine
GCP metadata were fetched from the GCP compute engine

 

SSRF Vulnerability in Appsmith’s Elasticsearch (CVSS:3.0 Score: 8.2)

One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.

Adding an Elasticsearch database as a data source
Adding an Elasticsearch database as a data source

 

Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.

Adding the path
Adding the path

 

When this query is run, it returns the temporary security credentials for your AWS role.

AWS security credentials
AWS security credentials

Impact

While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.

In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.

This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:

Mitigation

Responsible Disclosure

CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.

Timeline

Timeline for this disclosure process can be found below:

  • 05 Aug 2022: Disclosure of first SSRF to Appsmith
  • 05 Aug 2022: Initial response from Appsmith with acknowledgement for the vulnerability
  • 06 Aug 2022: Disclosure of second SSRF to Appsmith
  • 08 Aug 2022: Response from Appsmith with acknowledgement for the second vulnerability
  • 09 Aug 2022: Appsmith releases patch for both the vulnerabilities.
  • 10 Aug 2022: We filed for the CVE
  • 13 Sep 2022: CVE ID assigned by cve.org

References

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Vulnerability Intelligence
June 16, 2023

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Blog Image
Adversary Intelligence
April 3, 2023

Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Emerging Threats

min read

Appsmith Patches Full-Read SSRF Vulnerabilities Reported by CloudSEK

Appsmith Patches Full-Read SSRF Vulnerabilities Reported by CloudSEK

Authors
Co-Authors
No items found.

Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj

Executive Summary

THREAT IMPACT MITIGATION

CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299).

The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment.

Introduction

In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.

Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.

SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.

What is Appsmith

Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.

How does Appsmith work?

Appsmith dashboards and panels can be set up in 4 steps:

  • Connect Datasource: Integrate with a data source such as a database or an API. Appsmith has plug-and-play support for many databases and RESTful API interface to connect with most tools.
  • Build UI: Use customizable built-in widgets to build an app layout.
  • Access Data: Connect UI to the data source by writing queries and binding the data to widgets.
  • Collaborate, Deploy, and Share: It supports version control with Git, to track changes, create rollbacks, and to collaborate using git branches. Deploy the app and share it with other users.

SSRF Vulnerability in Appsmith’s REST Client (CVSS:3.0 Score: 8.8)

One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.

Appsmith REST API
Appsmith REST API

 

On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.

Error while accessing AWS metadata
Error while accessing AWS metadata

 

Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.

private static final Set<String> DISALLOWED_HOSTS = Set.of(
"169.254.169.254",
"metadata.google.internal"
);

List of Disallowed Domains

final String host = uri.getHost();
if (StringUtils.isEmpty(host)
|| DISALLOWED_HOSTS.contains(host)
|| DISALLOWED_HOSTS.contains(InetAddress.getByName(host).getHostAddress())) {
errorResult.setBody(AppsmithPluginError.PLUGIN_EXECUTE_ARGUMENT_ERROR.getMessage("Host not allowed."));
errorResult.setRequest(actionExecutionRequest);
return Mono.just(errorResult);
}

Condition to validate hostname

In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.

So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:

<?php
$server = $_GET["server"];
if($server == "gcp") {
header("Location: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/");
}
elseif($server == "aws") {
header("Location: http://169.254.169.254/latest/meta-data/");
}
?>

Redirect.php file content

Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.

AWS security credentials of self-hosted Appsmith Cloud
AWS security credentials of self-hosted Appsmith Cloud

 

GCP metadata were fetched from the GCP compute engine
GCP metadata were fetched from the GCP compute engine

 

SSRF Vulnerability in Appsmith’s Elasticsearch (CVSS:3.0 Score: 8.2)

One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.

Adding an Elasticsearch database as a data source
Adding an Elasticsearch database as a data source

 

Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.

Adding the path
Adding the path

 

When this query is run, it returns the temporary security credentials for your AWS role.

AWS security credentials
AWS security credentials

Impact

While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.

In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.

This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:

Mitigation

Responsible Disclosure

CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.

Timeline

Timeline for this disclosure process can be found below:

  • 05 Aug 2022: Disclosure of first SSRF to Appsmith
  • 05 Aug 2022: Initial response from Appsmith with acknowledgement for the vulnerability
  • 06 Aug 2022: Disclosure of second SSRF to Appsmith
  • 08 Aug 2022: Response from Appsmith with acknowledgement for the second vulnerability
  • 09 Aug 2022: Appsmith releases patch for both the vulnerabilities.
  • 10 Aug 2022: We filed for the CVE
  • 13 Sep 2022: CVE ID assigned by cve.org

References