GHSA-HW4X-MCX5-9Q36

Vulnerability from github – Published: 2024-01-03 21:28 – Updated: 2024-09-06 21:40
VLAI?
Summary
Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users
Details

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability affects a binary, not a library in a supported ecosystem. Therefore, users of the library should not receive alerts. This link is maintained to preserve external references.

Original Description

Impact

An authenticated attacker with valid credentials (user or host) can make non-blind Server-Side Request Forgery (SSRF) through the proxy and/or agents to arbitrary hosts.

During investigation of this functionality, it was discovered that there are several permutations where this SSRF is possible. This release addresses all but one: a root proxy administrator with access to the root proxy credentials can make requests through leaf proxies in Trusted Clusters. This behavior will be restricted in future releases. For customers using Teleport in a Trusted Cluster configuration, we encourage leaf clusters to have network restrictions in place to mitigate SSRF. For example, we recommend restricting outbound network connections to only the Auth Service, your SSO provider, and any agents, databases or applications needed to be accessed from the proxy. If running in a cloud environment pay careful attention to what cloud resources are accessible from the proxy.

Patches

Fixed in versions 14.2.4, 13.4.13 and 12.4.31.

Workarounds

Strict network controls from the Teleport Proxy and Teleport Agents reduce the potential exposure from this issue.

References

  • Fixed in PR: https://github.com/gravitational/teleport/pull/36127
  • https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#network-layer
  • https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitational/teleport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitational/teleport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitational/teleport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.4.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T21:28:37Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the vulnerability affects a binary, not a library in a [supported ecosystem](https://github.com/github/advisory-database#supported-ecosystems). Therefore, users of the library should not receive alerts. This link is maintained to preserve external references.\n\n## Original Description\n\n### Impact\nAn authenticated attacker with valid credentials (user or host) can make non-blind Server-Side Request Forgery (SSRF) through the proxy and/or agents to arbitrary hosts.\n\nDuring investigation of this functionality, it was discovered that there are several permutations where this SSRF is possible. This release addresses all but one: a root proxy administrator with access to the root proxy credentials can make requests through leaf proxies in Trusted Clusters. This behavior will be restricted in future releases. For customers using Teleport in a Trusted Cluster configuration, we encourage leaf clusters to have network restrictions in place to mitigate SSRF. For example, we recommend restricting outbound network connections to only the Auth Service, your SSO provider, and any agents, databases or applications needed to be accessed from the proxy. If running in a cloud environment pay careful attention to what cloud resources are accessible from the proxy.\n\n### Patches\nFixed in versions 14.2.4, 13.4.13 and 12.4.31.\n\n### Workarounds\nStrict network controls from the Teleport Proxy and Teleport Agents reduce the potential exposure from this issue.\n\n### References\n* Fixed in PR: https://github.com/gravitational/teleport/pull/36127\n* https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#network-layer\n* https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation\n",
  "id": "GHSA-hw4x-mcx5-9q36",
  "modified": "2024-09-06T21:40:28Z",
  "published": "2024-01-03T21:28:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitational/teleport/pull/36127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitational/teleport/commit/bb2d67d357e868254a21ed7cb132030d7bf9fcbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gravitational/teleport"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users",
  "withdrawn": "2024-01-23T12:50:39Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.