RCE vulnerabilities in open source software Cachet could put users at risk
Patches released for status page management system flaws
Multiple security vulnerabilities in open source status page system Cachet could allow an attacker to execute arbitrary code and steal sensitive data, researchers have warned.
Cachet is a project that allows users to do such tasks as listing service components, reporting incidents, and customizing the look of their status page, among other features.
The first bug (CVE-2021-39172) is a newline injection that is triggered when users update an instance’s configuration, such as the email settings.
It allows attackers to inject new directives and to alter the behavior of core features, ultimately leading to the execution of arbitrary code.
A second vulnerability (CVE-2021-39174) is also related to this feature, and allows attackers to exfiltrate secrets that are stored in the configuration file – for example, database passwords and framework keys.
Finally, the last bug (CVE-2021-39173) is “much simpler” according to researchers, and allows an attacker to change the setup process even if the target instance is already fully configured.
“That way, attackers can trick the Cachet instance into using an arbitrary database under their control, ultimately leading to arbitrary code execution,” the researchers wrote.
The one caveat to the success of the vulnerabilities is this – the attacker must already have access to a user account with basic privileges.
This, however, is easy to obtain, argues SonarSource, either by using credentials stuffing, “thanks to the considerable amount of accounts leaked every year”, a compromised or malicious user, the presence of a cross-site scripting (XSS) vulnerability on the same perimeter, or by exploiting a pre-authenticated SQL injection (CVE-2021-39165) in Cachet which was fixed in January 2021.
SonarSource researcher Thomas Chauchefoin told The Daily Swig: “Once the prerequisites are met, e.g by exploiting vulnerabilities like CVE-2021-39165 or getting access to a user account with any level of privileges, our findings are very straightforward to exploit.
“They only require one request, and this can be easily automated.”
The vulnerabilities have since been patched, though Chauchefoin told The Daily Swig that the disclosure process was not smooth sailing.
Chauchefoin said that the team tried to contact the maintainers during a 90-day disclosure period, without success. “The upstream project appears to be abandoned,” he said.
“Rather than immediately disclosing the details to the public, we reached out to the most active community fork (maintained by the UK company FiveAI) and suggested patches.
“They merged it and quickly published a new release.”
Patches for the vulnerabilities are available in release 2.5.1 of the FiveAI fork, while more technical details can be found on the SonarSource blog.