We want to bring to your attention a critical security matter recently
identified in CFEngine Enterprise version 3.6.0 and subsequent releases. This
vulnerability pertains to a A03:2021 -
Injection flaw within the CFEngine
Enterprise web UI, Mission Portal, which can lead to unauthorized access to the
underlying database. The CVE identifier CVE-2023-45684 has been assigned to
this issue. At present, there is no evidence to suggest that this vulnerability
has been exploited or that it was known beyond the CFEngine development team and
the customer who brought it to our attention.
Explanation
Our vigilant CFEngine customers, Chad DeGuira and Jim Trater at the Oak Ridge National Laboratory, recently uncovered a vulnerability while scanning their attack surface. During their scan, they identified an unusual delay in the response time from the CFEngine Mission Portal login page. This delay raised concerns that an attacker might have the potential to manipulate the application’s behavior and gain direct access to the underlying database.
Impact
In response to this discovery, we conducted an internal penetration test to
assess the severity of the vulnerability. Our testing confirmed that the Mission
Portal login page was indeed susceptible to SQL injection, specifically of the
time-based variety. This means that you cannot send queries to dump the database
tables directly (with the common SELECT <column> FROM <table> statement). This
is due to the fact that the queried results are not relayed in the servers
response to the API request.
However, since the input is not properly sanitized, you can still craft special
queries, testing for logical conditions AND‘ed with a call to the PG_SLEEP ( interval ), a function designed to delay the execution. By observing the time
it takes for the server to respond, we can determine whether the first condition
was true. This way we can slowly deduct the contents of the database, usually
done one character at the time, making it a really slow process.
By utilizing this vulnerability we were able to dump the contents of the entire underlying database, including tables storing confidential information such as access tokens and salted password hashes. Thus, we consider this vulnerability a significant concern that warrants immediate attention and remediation. An overall severity score of 7.5 (high severity) has been calculated using the following severity vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remediation
To mitigate this risk, we strongly recommend installing one of the latest versions of the CFEngine hub packages as listed on our download pages. The recently released CFEngine Enterprise versions 3.18.6 and 3.21.3 include the necessary fixes to address this vulnerability. It’s important to note that this issue exclusively affects the CFEngine hub. Thus, by installing the updated hub package, you can effectively remediate the issue. For more information on how to upgrade an existing CFEngine installation, please see our documentation.
We appreciate your continued trust in CFEngine, and we are committed to ensuring the security and reliability of our software. If you have any questions or require further assistance, please don’t hesitate to reach out to our support team.
