CVE-2022-39276 - GLPI SSRF Vulnerability in RSS Feeds and External Calendar Planning

Recently, a security vulnerability CVE-2022-39276 has been discovered in the *GLPI (Gestionnaire Libre de Parc Informatique)* system. GLPI is a widely-used Free Asset and IT Management Software package that also offers ITIL Service Desk features, licenses tracking, and software auditing. However, the vulnerability in the usage of RSS feeds and external calendar planning exposes the system to SSRF (Server Side Request Forgery) exploits.

In this post, we will discuss the details of this security flaw, possible exploit methods, and recommendations for mitigation. If you are currently using GLPI, we strongly advise you to read through this post and take immediate action to protect your system.

Vulnerability Details

The SSRF vulnerability exists in the way the GLPI system handles RSS feeds and external calendar planning. Specifically, when a remote script returns a redirect response, the redirect target URL is not verified against the URL allow list defined by the administrator. This exposes the system to SSRF attacks as an attacker can potentially use the vulnerability to access restricted internal resources or perform arbitrary HTTP requests.

Exploit Method

An attacker can potentially exploit this vulnerability, via SSRF, by crafting a malicious external URL that returns a redirect response. They can then inject this URL into the GLPI system, either as an RSS feed or as an external calendar planning item. If the GLPI system processes the malicious URL and follows the redirect without proper validation, the attacker may gain unauthorized access to internal resources or be able to execute arbitrary HTTP requests.

Here's a sample code snippet demonstrating the exploit

import requests

# Craft a malicious URL that redirects to the target vulnerable system
malicious_url = 'https://malicious.example.com/redirect?url=http://target.internal';

# Inject the malicious URL as an RSS feed or External Calendar Planning item in GLPI
payload = {
    'rss_feed': malicious_url,
    'calendar_item': malicious_url
}

# Exploit the SSRF vulnerability to access internal resources or execute arbitrary HTTP requests
response = requests.post('http://glpi.example.com/vulnerable-path';, data=payload)

Original References

The vulnerability has been officially acknowledged by the GLPI team and relevant information can be found at the following links:

1. GLPI GitHub Issue - Contains detailed information about the discovered issue in the GLPI source code and the discussion among developers and contributors.

2. GLPI Security Advisory - Provides an official statement on the vulnerability, its impact, and steps to mitigate the risk.

Mitigation and Patching

Fortunately, this security issue has been patched in the latest GLPI version, 10..4. Users are strongly advised to upgrade their GLPI installations to this version as soon as possible. The following link provides a detailed guide on how to upgrade your GLPI system:

- GLPI 10..4 Upgrade Guide

There are currently no known workarounds for this vulnerability, which makes the upgrade process even more critical.

Conclusion

In conclusion, the CVE-2022-39276 SSRF vulnerability in GLPI can have significant security implications if left unaddressed. Users and administrators of the GLPI system must act swiftly to patch their installations and protect their valuable IT assets. By understanding the exploit method and applying the recommended mitigation strategy, you can ensure the security and integrity of your GLPI environment.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 17:57:00 UTC