Fixes released for flaws in the status page management system
Multiple security vulnerabilities in the open source Cachet status page system could allow an attacker to execute arbitrary code and steal sensitive data, the researchers warned.
Cachet is a project that allows users to perform tasks such as listing service components, reporting incidents, and customizing the appearance of their status page, among other features.
However, three vulnerabilities in the software, discovered by researchers at SonarSource, could expose its users to a remote takeover.
The first bug (CVE-2021-39172) is a newline injection that is triggered when users update an instance’s configuration, such as mail settings.
It allows attackers to inject new directives and modify the behavior of core features, ultimately leading to the execution of arbitrary code.
A second vulnerability (CVE-2021-39174) is also related to this feature and allows attackers to exfiltrate secrets stored in the configuration file, for example database passwords and framework keys.
Finally, the last bug (CVE-2021-39173) is “much simpler” according to the researchers, and allows an attacker to modify the configuration process even if the target instance is already fully configured.
“In this way, attackers can trick the Cachet instance into using an arbitrary database under their control, ultimately leading to the execution of arbitrary code,” the researchers wrote.
Learn about the latest open source software news
The only caveat to successful vulnerabilities is: the attacker must already have access to a user account with basic privileges.
This, however, is easily achieved, argues SonarSource, either by using credential stuffing, “thanks to the sheer number of accounts disclosed each year”, a compromised or malicious user, the presence of a intersite script (XSS) on the same perimeter, either by using a pre-authenticated SQL injection (CVE-2021-39165) in Cachet which was corrected in January 2021.
SonarSource researcher Thomas Chauchefoin said The daily sip: “Once the prerequisites are met, for example by exploiting vulnerabilities like CVE-2021-39165 or accessing a user account with any level of privilege, our results are very easy to exploit.
“They only require one request, and it can be easily automated. “
Cachet, far away
The vulnerabilities have since been addressed, although Chauchefoin said The daily sip that the disclosure process has not gone smoothly.
Chauchefoin said the team attempted to contact those responsible for a 90-day disclosure period, without success. “The upstream project seems to be abandoned,” he said.
“Rather than immediately disclosing the details to the public, we contacted the most active community fork (maintained by UK company FiveAI) and suggested fixes.
“They merged it and quickly released a new version.”
Fixes for the vulnerabilities are available in version 2.5.1 of the FiveAI fork, while more technical details are available on the SonarSource blog.
DO NOT MISS What future for the safety of browsers? Discover the latest features for mobiles and desktops