CVE-2024-0455 - Web Scraper Inclusion in AnythingLLM Opens Door for Unauthorized EC2 Instance Metadata Access

A recent vulnerability (CVE-2024-0455) found within the web scraper feature of AnythingLLM has raised concerns among its user base. This vulnerability allows an authorized user on the platform (manager, admin, or in single-user mode) to scrape Amazon EC2 instance metadata, potentially exposing secret credentials and connection details tied to the specific hosting infrastructure. In this post, we will break down the attack mechanism and explain how to mitigate the risks associated with this vulnerability.

Exploit Details

The vulnerability arises due to the inclusion of a web scraper module in AnythingLLM. To exploit it, an attacker with the appropriate authorization level would need to enter the following URL in the web scraper:

http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

This special IP and URL will only resolve if the request is coming from within an Amazon EC2 instance [1]. If the request is successful, the attacker will gain access to instance metadata containing sensitive connection credentials and other information pertinent to the targeted infrastructure.

It is worth noting that the attacker must have a prior understanding of the hosting infrastructure on which the target instance is deployed. However, if the request is successful and the affected EC2 instance does not have a properly configured firewall (iptable), the consequences could be severe.

The code snippet below demonstrates the module inclusion within AnythingLLM

import requests

def scrape(url):
    response = requests.get(url)
    if response.status_code == 200:
        return response.text
    else:
        raise Exception("Error: Unable to fetch the URL")

url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
data = scrape(url)
print(data)

Mitigation

To mitigate this vulnerability, administrators should ensure proper firewall rules and iptables are in place to prevent unauthorized access to EC2 instance metadata [2]. Additionally, Amazon recommends restricting access by configuring the instance metadata service (IMDSv2) with more restrictive policies [3].

Conclusion

In CVE-2024-0455, the inclusion of a web scraper module within AnythingLLM enables authorized users to scrape metadata from EC2 instances, potentially revealing sensitive information. It is essential for administrators to remain vigilant and stay updated on emerging threats. By implementing secure practices and adhering to best practices, the risk associated with this vulnerability can be significantly minimized.

Original References

1. Amazon EC2 Instance Metadata and User Data: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
2. Protecting Instance Metadata: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
3. EC2 Instance Metadata Service Version 2 (IMDSv2): https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Timeline

Published on: 02/26/2024 16:27:50 UTC
Last modified on: 02/26/2024 16:32:25 UTC