EIQ-2018-0018#

ID

EIQ-2018-0018

(Former ref.: 25752, 25753)

CVE

-

Description

Incoming feed with HTTP download could give access to internal components

Date

-

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.6.0

Assessment

An incoming feed using the HTTP download transport type can access internal components.

A signed-in platform user with admin access rights could use server-side request forgery (SSRF) to probe the internal network, and to search for open ports that HTTP services listen on.

For example, a user could set the transport configuration URL to http://localhost:9001/index.html?processname=platform-api&action=stop to reach the platform-api component and stop it upon running the incoming feed task.

Mitigation

Possible workarounds to mitigate the issue:

  • Set up HTTP with authentication to access the Supervisor service.

  • From release 2.5.0, systemd replaces Supervisor in the platform. This reduces the attack surface.

  • From release 2.5.0, a new field in the platform_settings.py configuration file enables blacklisting subnet IP ranges.

You can edit the default values as necessary to suit your environment.

Default values:

USER_CIDR_BLACKLIST = [
'192.168.0.0/16', '172.16.0.0/12', '169.254.0.0/16', '10.0.0.0/8', '127.0.0.0/8']

Affected versions

2.3.0 to 2.5.0 included.

Notes

-