-
-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
fix(rce): prevent remot code execution #833
Conversation
Sorry for the bother again. Is this what you were talking about in #829 (comment)? I'd assume so but the title/commit makes this sound way worse. 8.0.10 isn't pushed to rubygems yet. |
It was way worse, redis doesn't filter anything according to @pboling who kindly provided a way to replicate the problem. 8.0.10 is unreleased because it contains no changes. The fix was released as 8.0.9 |
I see, thanks for the info. My bad on reading the commit history wrong, I see now that it is like you said. Great work from you and @pboling for identifying and fixing this problem. |
I couldn't have done it without your multiple explanations of the context and the relevant issues. I'll submit you for credit on the CVE request, which you can accept if you like. |
I'm not certain if this is actually an issue. Take these commands for example:
The key contains
In addition, using the I myself didn't manage to reproduce but if I did something wrong then I believe this should 100% be reported upstream to |
I see what you mean. Looking at this more soberly - It is the argument to the I'll update the advisory. |
This does still mean that a hacker could construct a URL that would result in deletion of targeted keys, but also there is no fix for that. |
That's a relief, a 10/10 is quite severe (by definition). Thanks for double-checking. I'm not certain what the layout of that hash is exactly, or if the key is dynamic in some way. I would expect it to only contain information about the status of locks, so the most you can do there is what you can already do through the web UI. Regardless, you can do a bunch of stuff with the Web UI with plain sidekiq already like deleting complete queues so I don't think this should be a big deal. Unless you can delete arbitrary keys, that would be a bit of a problem. From a quick peek at the code that doesn't look possible to introduce arbitrary digests. |
I think it is still a 10/10, since the XSS can expose sensitive cookies, session and local storage data. I've corrected the advisory. Please give any feedback you have! |
That looks better but it's definitely not a 10. The sidekiq equivalent is rated 8.3 which I think is still quite high but eh. I would suggest just copying most of the values from GHSA-h3r8-h5qw-4r35 While XSS is bad, it's not RCE levels kind of bad. In general these reports with their severities fail to take into account that you are expected to put the dashboard behind a constraint. That's a separate issue though and not something I want to debate. While I don't personally agree, it's _fine, I guess. |
@Earlopain I appreciate the feedback. I think that sidekiq advisory was calculated incorrectly for User Interaction, which is perhaps where we disagree about the lack-of-default-auth-constraint being considered here, but I did change two other values to match, which lowered the score slightly. Specifically:
I agree that this could easily be parsed the way you are interpreting it, but I hold that it can also be interpreted the other way, for a scenario like ours where the default configuration is the unprotected one. The title of the section seems to imply a preference for assuming a vulnerable configuration so long as it is not un-reasonable, giving the example, that it would be unreasonable to assume the vulnerable configuration if it is not default, and not recommended, which is not quite our case. |
I'm not an expert on this, I haven't read the actual definitions. I just find it laughable that the difference between RCE and XSS is 0.6 points. But that has nothing to do with you, if that is indeed how this works then I'm just shaking my head in defeat at the process in general. Anyways, I believe @mhenrixon still needs to request a CVE for this to actually be picked up by tools like dependabot. I believe the report should be compacted a bit beforehand. I don't think I've seen such details before, including POC. They don't go into nearly as much detail. I would find it fine as initial disclosure but not something consumers should see in the end. I would instead instead link to the relevant PRs as reference where interested users can get more information. Particularly the commit with the fix should be there. |
Appreciate the conversation, I did request the CVE already but unsure how it works after. Everywhere I look is simply overwhelming information. Find it hard to narrow things down. Next time we can perhaps be a bit briefer. |
Eh, perhaps they'll trim it down a bit, or it updates transparently. What's done is done. From what I read, just waiting now should do the job. Unfortunatly there's no indicator that you've already done so, my bad. At least on the GitHub advisory side these things do update, they are simply stored in git and you can even do PRs against that. |
It says the CVE process can take a few days, and since it was just requested a few hours ago, we may have a few days wait. |
@mhenrixon @Earlopain others who did the eval for the official CVE regraded it as a 7.1 🤷 I kind of appreciate that it is a lower number, but it exposes a difficulty of the grading scheme. This vulnerability is a bit more serious than the similar one that affected sidekiq, but it has a higher score. Oh well. I've updated the score for this one to match what was officially released in the CVE. |
I'm not quite sure why it would be rated differently to the one in sidekiq but am glad that it is lower overall. I've opened a PR github/advisory-database#3546 to update the github version as well. |
No description provided.