Oxeye says it has uncovered two critical security vulnerabilities and is recommending immediate action be taken to mitigate risk.
The vulnerabilities were discovered by the Oxeye AppSec Platform in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go.
The Oxeye AppSec Platform combines the functions of SAST, DAST and SCA into one tool to filter out vulnerabilities that cannot be exploited in modern distributed applications.
Oxeye identifies all vulnerabilities, including those that cross microservices, then help AppSec & dev teams focus on critical vulnerabilities by finding and determining which vulnerable open source and third-party packages are loaded and used and filtering out those that are not; filtering vulnerabilities that cannot be accessed from the Internet (directly or indirectly); Refining further by adding infrastructure configuration data, and performing active validation by fuzzing the exploitable APIs.
Owncast Vulnerability
The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go. The vulnerability, labeled as an Unauthenticated Blind Server-Side Request Forgery (SSRF), could potentially allow unauthenticated attackers to exploit the Owncast server by forcing the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows the attacker to send the requests while specifying arbitrary URL paths and query parameters. The Owncast vulnerability has a high CNA CVSS severity rating of 8.3/10 and was identified during an extensive analysis conducted by Oxeye Security’s in-house custom SAST (Static Application Security Testing) solution for compiled Golang applications.
Upon examination, the security researchers at Oxeye Security determined that the Owncast server is susceptible to an unauthenticated SSRF attack, enabling malicious actors to force the server to send HTTP requests to arbitrary locations using the GET HTTP method. Additionally, attackers can manipulate the requests by specifying arbitrary URL paths and query parameters.
The vulnerable code resides within the GetWebfingerLinks function of Owncast, specifically in the following location: https://github.com/owncast/owncast/commit/f40135dbf28093864482f9662c23e478ea192b16 . As per the code analysis, user-controlled input passed through the “account” parameter is parsed as a URL, and subsequently, an HTTP request is issued to the specified host on line 32.
To address this critical SSRF vulnerability, Oxeye Security recommends the following remediation steps:
- Prohibit the HTTP client utilized by Owncast from following HTTP redirections to mitigate the potential exploitation of SSRF attacks.
- Implement restrictions to allow only authenticated users to trigger the vulnerable endpoint, thereby minimizing the risk of unauthorized access.
Oxeye Security has been proactive in reaching out to the Owncast development team and providing them with detailed information regarding the vulnerability and recommended remediation steps. Together with Owncast, Oxeye Security aims to ensure the prompt resolution of this security issue to safeguard the Owncast community and its users.
EaseProbe Vulnerability
Oxeye has also recently discovered multiple SQL-injection vulnerabilities in EaseProbe, a lightweight and standalone health/status checking tool written in Go. The vulnerabilities, categorized as Config-Based SQL-Injection, expose potential security risks for users of EaseProbe with a Critical NIST CVSS Security Score of 9.8/10. The vulnerable code is located in the MySQL / Postgres database client code:
- https://github.com/megaease/easeprobe/blob/main/probe/client/mysql/mysql.go#L174
- https://github.com/megaease/easeprobe/blob/main/probe/client/postgres/postgres.go#L203
During an extensive evaluation utilizing Oxeye Security’s in-house custom SAST (Static Application Security Testing) solution for compiled Golang applications, the security researchers identified significant vulnerabilities in EaseProbe. These vulnerabilities can be exploited by attackers who have control over the EaseProbe configuration, enabling them to read, delete, or modify all information stored in the databases configured for health checking. In certain circumstances, depending on the user privileges and the database engine, the attacker may also execute arbitrary system commands on the server hosting the database. The vulnerable code is located within the MySQL and Postgres database client code of EaseProbe.
By analyzing the EaseProbe configuration file, Oxeye Security demonstrated a practical exploitation scenario on a Postgres database. The attacker injects a malicious command “ls” to execute arbitrary system commands. The vulnerable database query is unsafely formatted with user-provided data, leading to the successful execution of the injected command.
To mitigate the risks associated with SQL-injection attacks, Oxeye Security recommends the following remediation measures:
– Properly sanitize all user input to prevent SQL-injection vulnerabilities. This can be achieved by implementing techniques such as prepared statements and parameterized queries, which treat user-provided input as values instead of executable code. If injection occurs in a query part that cannot be parameterized, strictly validate user input, considering the use of regular expressions or other appropriate methods.
– Ensure the application is regularly updated and patched to address any known vulnerabilities, as this can effectively mitigate the risk of exploitation.
Oxeye Security has taken immediate action by notifying the developers of EaseProbe about the discovered vulnerabilities. By collaborating with the EaseProbe team, Oxeye Security aims to expedite the resolution of these security issues to protect EaseProbe users from potential threats. Note: This problem has been fixed in EaseProbe v2.1.0.