🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.
Schedule a DemoAuthors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
THREAT | IMPACT | MITIGATION |
---|---|---|
CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299). |
The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment. |
|
In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.
Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.
SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.
Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.
Appsmith dashboards and panels can be set up in 4 steps:
One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.
On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.
Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.
private static final Set<String> DISALLOWED_HOSTS = Set.of( |
---|
List of Disallowed Domains
final String host = uri.getHost(); |
---|
Condition to validate hostname
In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.
So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:
<?php |
---|
Redirect.php file content
Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.
One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.
Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.
When this query is run, it returns the temporary security credentials for your AWS role.
While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.
In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Timeline for this disclosure process can be found below:
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Appsmith Patches Full-Read SSRF Vulnerabilities Reported by CloudSEK
Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
THREAT | IMPACT | MITIGATION |
---|---|---|
CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299). |
The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment. |
|
In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.
Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.
SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.
Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.
Appsmith dashboards and panels can be set up in 4 steps:
One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.
On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.
Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.
private static final Set<String> DISALLOWED_HOSTS = Set.of( |
---|
List of Disallowed Domains
final String host = uri.getHost(); |
---|
Condition to validate hostname
In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.
So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:
<?php |
---|
Redirect.php file content
Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.
One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.
Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.
When this query is run, it returns the temporary security credentials for your AWS role.
While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.
In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Timeline for this disclosure process can be found below: