perfSONAR User Q&A and Other Discussion

[Darryl K Wohlt <>]

Hello,

 

Our cybersecurity team has detected a Server Side Request Forgery (SSRF) vulnerability on some of our PerfSONAR instances, and I wonder if anyone has experience with this and would like to share some mitigation tips.  Here is the text of the notification that I received:

 

Server Side  Request Forgery on PerfSONAR Toolkits

Description

Server Side Request Forgery (SSRF) refers to a vulnerability where a malicious party is able to send a crafted request from a vulnerable application to another device. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, however this functionality can allow the vulnerable server to be used as an attack proxy and send requests on a malicious actors behalf.

Impact

The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Recommended Fix

The proper way to fix Server Side Request Forgery (SSRF) is to whitelist the DNS name or IP address which your application needs access to. If a whitelist approach does not suit your use case, and you must rely on a blacklist, it’s important to validate user input properly. An example of this is to not allow requests to private ("non-routable") IP addresses, however, in the case of a blacklist, the correct mitigation to adopt will vary from application to application.

 

SSRF on Multiple Subdomains, affecting Perfsonar Traceroute Viewer v2

Description

There is an SSRF vulnerability which affects the `/perfsonar-traceroute-viewer/index.cgi` path of the [host] subdomains.

It is exploitable via an url and it affects both external and internal resources.

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Impact

The SSRF is moderately "Blind" in that only the first portion of the document is reflected into the DOM.  The researcher has shown that Internal and External attacks are possible so accessing internal resources could be possible.

Recommended Fix

This plugin should be fixed in order to not trust non-sanitized user input in its further requests.  If an upstream fix is not planned this should be mitigated by an authorization/authentication system of some sort such as htaccess/htpasswd.

 

Thanks for any help,

Darryl

 

Darryl K. Wohlt

Network Architect I

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov