Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Oct 17, 2023NewsroomVulnerability / Cyber Threat

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems.

The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266, both carry a CVSS score of 9.8 out of a maximum of 10.

Sonar security researcher Thomas Chauchefoin, who discovered the bugs, said they “allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard.”

Cybersecurity

Even more troublingly, CasaOS’ support for third-party applications could be weaponized to run arbitrary commands on the system to gain persistent access to the device or pivot into internal networks.

Following responsible disclosure on July 3, 2023, the flaws were addressed in version 0.4.4 released by its maintainers IceWhale on July 14, 2023.

A brief description of the two flaws is as follows –

  • CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
  • CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

Cybersecurity

“In general, identifying IP addresses at the application layer is risk-prone and shouldn’t be relied on for security decisions,” Chauchefoin said.

“Many different headers may transport this information (X-Forwarded-For, Forwarded, etc.), and the language APIs sometimes need to interpret nuances of the HTTP protocol the same way. Similarly, all frameworks have their own quirks and can be tricky to navigate without expert knowledge of these common security footguns.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Cyber Security

Articles You May Like

Xbox Exclusives Pentiment, Grounded, Hi-Fi Rush, Sea of Thieves Coming to PlayStation and Nintendo Switch
Infinix Hot 40i With 32-Megapixel Selfie Camera, 5,000mAh Battery Launched in India: Price, Specifications
Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative
Alibaba bets on overseas e-commerce unit amid sluggish growth in China
Lava Teases New Phone in India, Could be Blaze Curve 5G; Launch Timeline, Design, Key Details Leaked

Leave a Reply

Your email address will not be published. Required fields are marked *