Headline
Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software
Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266, both carry a CVSS score of 9.8 out of a maximum of 10. Sonar security researcher Thomas Chauchefoin, who discovered the bugs,
Vulnerability / Cyber Threat
Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems.
The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266, both carry a CVSS score of 9.8 out of a maximum of 10.
Sonar security researcher Thomas Chauchefoin, who discovered the bugs, said they “allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard.”
Even more troublingly, CasaOS’ support for third-party applications could be weaponized to run arbitrary commands on the system to gain persistent access to the device or pivot into internal networks.
Following responsible disclosure on July 3, 2023, the flaws were addressed in version 0.4.4 released by its maintainers IceWhale on July 14, 2023.
A brief description of the two flaws is as follows -
- CVE-2023-37265 - Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
- CVE-2023-37265 - Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances
A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.
“In general, identifying IP addresses at the application layer is risk-prone and shouldn’t be relied on for security decisions,” Chauchefoin said.
“Many different headers may transport this information (X-Forwarded-For, Forwarded, etc.), and the language APIs sometimes need to interpret nuances of the HTTP protocol the same way. Similarly, all frameworks have their own quirks and can be tricky to navigate without expert knowledge of these common security footguns.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
### Impact Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. ### Patches The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4. ### Workarounds Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. ### References - 705bf1f
### Impact Unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. ### Patches The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4. ### Workarounds Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. ### References - 391dd7f