API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.
The last seven days were really rich for API exploits. It's not often to meet a dozen of API issues in top security products in the same week. Let's look at what's there!
1. F5 BIG-IP ASM and Advanced WAF REST API endpoint vulnerability. CVE-2022-23026
This issue looks like a minor, but potentially can cause an entire device shutdown (means network blackout) as described at the official advisory:
An authenticated user with low privileges, such as a guest, may exploit this vulnerability to increase disk utilization, which may cause the Configuration utility to fail to function as expected. There is no data plane exposure; this is a control plane issue only.
2. NGINX Controller API Management Remote Code Execution. CVE-2020-23008
This one is a dangerous one since it's a server-side JavaScript injection. The issue can be used to steal local data like SSL certificate keys and run arbitrary code with NGINX process privileges.
An authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.?(CVE-2022-23008 )
Successful exploitation allows an attacker to read and/or write files on the NGINX data plane instance. The access to files is limited to the user running the NGINX process, typically the?nginx?user.
3. Istio Privileged Escalation in Kubernetes Gateway API
Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have?CREATE?permission for?gateways.gateway.networking.k8s.io?objects can escalate this privilege to create other resources that they may not have access to, such as?Pod. This vulnerability impacts only an Alpha level feature, the?Kubernetes Gateway API . This is not the same as the Istio?Gateway?type (gateways.networking.istio.io), which is not vulnerable.
4. Istion Authorization Policy bypass for Host Rule
This issue is caused by an incorrect header value matching. Welcome to the host-based authentication world again!
The authorization policy with?hosts?and?notHosts?might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1.
Istio 1.12 supports the?hosts?and?notHosts?fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the?hosts?and?notHosts?fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane.
5. Juniper Contrail Service Orchestration: Tenants able to see other tenants policies via REST API interface. CVE-2022-22152
This one is a typical miss for an access control implementation.
A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities.
6. Grafana Forward OAuth Identity Token auth bypass
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
领英推荐
This can allow API token holders to retrieve data for which they may not have intended access.
7. GitLab GraphQL API auth bypass for pipeline security reports
This issue is just awesome. The two fields of the Pipeline object securityReportFinding and securityReportSummary are not protected by ACL and are available for any users, including unauthenticated.
An exploit is as simple as GraphQL query for these fields:
curl 'https://gitlab.com/api/graphql' \
-H 'authority: gitlab.com' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{"query":"query {\n project(fullPath: \"gitlab-org/gitlab\") {\n id\n pipeline(iid: 1031272) {\n id\n \n securityReportFindings{\n nodes {\n name\n }\n }\n \n securityReportSummary {\n dependencyScanning {\n scannedResourcesCount\n }\n }\n }\n }\n}","variables":{},"operationName":null}' \
--compressed
8. Apache Dubbo Remote Code Execution
Dubbo is probably not the most famous Apache project, but it's growing. It's an open-source RPC framework based on Java.
An exploit that was found is a deserialization-based issue and a kill-chain of gadgets to exploit it as remote code execution.
9. Insufficient Session Expiration in Pterodactyl API
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users. The found issue allows attackers to reuse revoked API keys.
A vulnerability exists in Pterodactyl Panel?<= 1.6.6?that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.
It is important to note that?a malicious user must first compromise an existing API key for a user to exploit this issue. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.
10. StarWind REST API read-only to administration privileges escalation. CVE-2022-23858
We don't know much about the issue but it looks like a broken authorization for a few or more REST API endpoints that allow any user to increase its privileges to admin.
Any logged user with read-only rights can elevate privileges up to the administrator through REST API.