GHSA-P9CG-VQCC-GRCX

Vulnerability from github – Published: 2024-07-05 20:07 – Updated: 2024-11-18 16:26
VLAI?
Summary
Server Side Request Forgery (SSRF) attack in Fedify
Details

Summary

At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network.

This applies to not just resolution of documents containing activities or objects, but also to media URLs as well.

Specifically this is a Server Side Request Forgery attack. You can learn more about SSRF attacks via CWE-918

Details

When Fedify makes a request at runtime via the DocLoader [1] [2], the fetch API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public.

Additionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a hostname part. Whilst the fetch() specification may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using data: URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav.

[1] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141 [2] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175

Deno-specific Attack Vectors

In Deno specifically, the fetch() API allows accessing local filesystem, I'm not sure how Deno's Permissions model may prevent attacks utilising file: URIs.

Fetch also supports fetching from file URLs to retrieve static files. For more info on static files, see the filesystem API documentation.

ActivityPub Security Considerations

This is also noted in the ActivityPub spec in Section B.3 Security Considerations, however, there it is more limited in scope.

Other Implementations

It may be acceptable to allow a server operator to allow access to given non-public IP addresses, for instance in Mastodon they allow requests to non-public IP addresses, i.e., localhost in development and those in the ALLOWED_PRIVATE_ADDRESSES environment variable.

PoC

I'm not sure a PoC is necessary given this is a reasonably well known vulnerability vector.

Impact

This impacts server operates, as resources that are internal to their network may find themselves being improperly accessed or potentially even attacked or exposed to the public.

Notes for resolution:

When implementing public IP address validation, be careful of CWE-1389 and CWE-1286 both of which recently caused a CVE to be filed against the popular node.js ip package, although this package was not originally intended for security purposes.

Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-05T20:07:54Z",
    "nvd_published_at": "2024-07-05T18:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n \nAt present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server\u0027s network.\n\nThis applies to not just resolution of documents containing activities or objects, but also to media URLs as well.\n\nSpecifically this is a [Server Side Request Forgery attack](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery). You can learn more about SSRF attacks via [CWE-918](https://cwe.mitre.org/data/definitions/918.html)\n\n### Details\n\nWhen Fedify makes a request at runtime via the DocLoader [1] [2], the `fetch` API does not first check the URI\u0027s to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public.\n\nAdditionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a `hostname` part. Whilst the [`fetch()` specification](https://fetch.spec.whatwg.org/) may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using `data:` URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav.\n\n[1] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141\n[2] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175\n\n#### Deno-specific Attack Vectors\n\nIn Deno specifically, the `fetch()` API allows [accessing local filesystem](https://docs.deno.com/deploy/api/runtime-fetch/), I\u0027m not sure how Deno\u0027s [Permissions model](https://docs.deno.com/runtime/manual/runtime/permission_apis/) may prevent attacks utilising `file:` URIs.\n \n\u003e Fetch also supports fetching from file URLs to retrieve static files. For more info on static files, see the [filesystem API documentation](https://docs.deno.com/deploy/api/runtime-fs).\n\n#### ActivityPub Security Considerations\n\nThis is also noted in the ActivityPub spec in [Section B.3 Security Considerations](https://www.w3.org/TR/activitypub/#security-localhost), however, there it is more limited in scope.\n\n#### Other Implementations\n\nIt may be acceptable to allow a server operator to allow access to given non-public IP addresses, for instance [in Mastodon](https://github.com/mastodon/mastodon/blob/092bb8a27af9ee87ff9ebabaf354477470ea3a94/app/lib/request.rb#L330) they allow requests to non-public IP addresses, i.e., localhost in development and those in the `ALLOWED_PRIVATE_ADDRESSES` environment variable.\n\n### PoC\n\nI\u0027m not sure a PoC is necessary given this is a reasonably well known vulnerability vector.\n\n### Impact\n\nThis impacts server operates, as resources that are internal to their network may find themselves being improperly accessed or potentially even attacked or exposed to the public.\n\n### Notes for resolution:\n\nWhen implementing public IP address validation, be careful of [CWE-1389](https://cwe.mitre.org/data/definitions/1389.html) and [CWE-1286](https://cwe.mitre.org/data/definitions/1286.html) both of which [recently](https://github.com/advisories/GHSA-78xj-cgh5-2h22) caused a CVE to be filed against the popular node.js `ip` package, although this package was not originally intended for security purposes.",
  "id": "GHSA-p9cg-vqcc-grcx",
  "modified": "2024-11-18T16:26:49Z",
  "published": "2024-07-05T20:07:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39687"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dahlia/fedify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dahlia/fedify/releases/tag/0.11.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Server Side Request Forgery (SSRF) attack in Fedify"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.