Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Cyber Security

Oct 17, 2023NewsroomVulnerability / Cyber Threat

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems.

The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266, both carry a CVSS score of 9.8 out of a maximum of 10.

Sonar security researcher Thomas Chauchefoin, who discovered the bugs, said they “allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard.”

Cybersecurity

Even more troublingly, CasaOS’ support for third-party applications could be weaponized to run arbitrary commands on the system to gain persistent access to the device or pivot into internal networks.

Following responsible disclosure on July 3, 2023, the flaws were addressed in version 0.4.4 released by its maintainers IceWhale on July 14, 2023.

A brief description of the two flaws is as follows –

  • CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
  • CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

Cybersecurity

“In general, identifying IP addresses at the application layer is risk-prone and shouldn’t be relied on for security decisions,” Chauchefoin said.

“Many different headers may transport this information (X-Forwarded-For, Forwarded, etc.), and the language APIs sometimes need to interpret nuances of the HTTP protocol the same way. Similarly, all frameworks have their own quirks and can be tricky to navigate without expert knowledge of these common security footguns.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Humane AI Pin Could Launch in India Soon, Suggests Co-Founder Imran Chaudhri: Report
FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks
New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users
How Cybercriminals are Exploiting India’s UPI for Money Laundering Operations
Threads Saved Posts Feature Begins Rolling Out to Several Users After Weeks of Testing: How it Works

Leave a Reply

Your email address will not be published. Required fields are marked *