GHSA-38JH-8H67-M7MJ
Vulnerability from github – Published: 2024-08-27 18:40 – Updated: 2024-08-27 18:40Summary
The Chisel server doesn't ever read the documented AUTH environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. This advisory is a formalization of a report sent to the maintainer via email.
Details
In the help page for the chisel server subcommand, it mentions an AUTH environment variable that can be set in order to provide credentials that the server should authenticate connections against: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138.
The issue is that the server entrypoint doesn't ever read the AUTH environment variable. The only place that this happens is in the client entrypoint: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452
This subverts the expectations set by the documentation, allowing unauthenticated users to connect to a Chisel server, even if auth is attempted to be set up in this manner.
PoC
Run chisel server, first specifying credentials with the AUTH environment variable, then with the --auth argument. In the first case, the server allows connections without authentication, while in the second, the correct behavior is exhibited.
Impact
Anyone who is running the Chisel server, and that is using the AUTH environment variable to specify credentials to authenticate against. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jpillora/chisel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43798"
],
"database_specific": {
"cwe_ids": [
"CWE-1068",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-27T18:40:29Z",
"nvd_published_at": "2024-08-26T23:15:04Z",
"severity": "HIGH"
},
"details": "### Summary\nThe Chisel server doesn\u0027t ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. This advisory is a formalization of a report sent to the maintainer via email.\n\n### Details\nIn the help page for the `chisel server` subcommand, it mentions an `AUTH` environment variable that can be set in order to provide credentials that the server should authenticate connections against: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138.\n\nThe issue is that the server entrypoint doesn\u0027t ever read the `AUTH` environment variable. The only place that this happens is in the client entrypoint: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452\n\nThis subverts the expectations set by the documentation, allowing unauthenticated users to connect to a Chisel server, even if auth is attempted to be set up in this manner.\n\n### PoC\nRun `chisel server`, first specifying credentials with the `AUTH` environment variable, then with the `--auth` argument. In the first case, the server allows connections without authentication, while in the second, the correct behavior is exhibited.\n\n### Impact\nAnyone who is running the Chisel server, and that is using the `AUTH` environment variable to specify credentials to authenticate against. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port. ",
"id": "GHSA-38jh-8h67-m7mj",
"modified": "2024-08-27T18:40:29Z",
"published": "2024-08-27T18:40:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43798"
},
{
"type": "PACKAGE",
"url": "https://github.com/jpillora/chisel"
},
{
"type": "WEB",
"url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138"
},
{
"type": "WEB",
"url": "https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Chisel\u0027s AUTH environment variable not respected in server entrypoint"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.