Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems.
The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266, both carry a CVSS score of 9.8 out of a maximum of 10.
Sonar security researcher Thomas Chauchefoin, who discovered the bugs, said they “allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard.”
Even more troublingly, CasaOS’ support for third-party applications could be weaponized to run arbitrary commands on the system to gain persistent access to the device or pivot into internal networks.
Following responsible disclosure on July 3, 2023, the flaws were addressed in version 0.4.4 released by its maintainers IceWhale on July 14, 2023.
A brief description of the two flaws is as follows –
- CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
- CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances
A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.
“In general, identifying IP addresses at the application layer is risk-prone and shouldn’t be relied on for security decisions,” Chauchefoin said.
“Many different headers may transport this information (X-Forwarded-For, Forwarded, etc.), and the language APIs sometimes need to interpret nuances of the HTTP protocol the same way. Similarly, all frameworks have their own quirks and can be tricky to navigate without expert knowledge of these common security footguns.”