CVE-2022-24112 - Apache APISIX Batch-Requests Plugin IP Restriction Bypass and Potential Remote Code Execution

A recently discovered vulnerability, CVE-2022-24112, affects the Apache APISIX platform, which could allow an attacker to bypass the IP restriction in the batch-requests plugin. This post presents an in-depth look at the vulnerability, code snippet, related references, and potential exploit details.

Details

In Apache APISIX, a powerful and dynamic cloud-native API gateway, the batch-requests plugin allows for processing multiple requests at once. It is possible for an attacker to send requests using this plugin to bypass the IP restriction of the Admin API. Consequently, a default configuration of Apache APISIX, which utilizes the default API key, could be susceptible to remote code execution.

The impact of this vulnerability may be reduced when an administrator modifies the default configuration, such as changing the admin key or altering the port number for the Admin API to be different from the data panel. Nevertheless, there is still a risk of bypassing Apache APISIX's data panel IP restriction.

The batch-requests plugin contains a check that modifies the client IP according to its actual remote IP. However, a flaw in the plugin's code enables an attacker to bypass this check. The following code snippet showcases this issue:

local function get_real_client_ip(ctx)
    [...]
    local ip = ctx.var["x-real-ip"]  -- use the "x-real-ip" header
    if not ip then
        ip = ctx.var["remote_addr"]  -- fallback to the client's IP address
    end
    return ip
end

This code is meant to obtain the real client IP address to be used for verification and security purposes. Unfortunately, the use of the "x-real-ip" header can be manipulated by a malicious user to bypass the IP filtering mechanism.

Original References

1. Apache APISIX GitHub Repository: https://github.com/apache/apisix
2. Apache APISIX Batch-Request Plugin: https://apisix.apache.org/docs/apisix/plugins/batch-requests

Exploit Details

An attacker can potentially bypass the IP restriction by sending a crafted HTTP POST request with malicious input in the "x-real-ip" header. This may lead to unauthorized access to the Admin API, potentially resulting in remote code execution. An example of such a request is shown below:

POST /batch-requests HTTP/1.1
Host: <target_apache_apisix_host>
x-real-ip: <attacker_ip_whitelisted_in_admin_api_ip_restrictions>
Content-Type: application/json

{
   "requests":[
      {
         "path":"/apisix/admin/routes",
         "method":"POST",
         "body": "<malicious_payload>"
      }
   ]
}

This crafted HTTP request could allow the attacker to create a new route and execute malicious code on the server.

Make sure that IP restrictions in the Apache APISIX data panel are configured securely.

By staying vigilant and following best practices, system administrators can protect Apache APISIX installations from this CVE-2022-24112 vulnerability.

Timeline

Published on: 02/11/2022 13:15:00 UTC
Last modified on: 05/11/2022 14:58:00 UTC