Security researchers have identified a vulnerability in Zalando Skipper v.13.236 that could allow an attacker to perform Server-Side Request Forgery (SSRF) attacks. The vulnerability has been assigned CVE-2022-38580 and is considered to be of high severity. In this blog post, we'll discuss the details of this vulnerability, including a brief introduction to Zalando Skipper, the affected components, how the vulnerability can be exploited, its potential impact, and how to mitigate the issue.

Before diving into the vulnerability details, let's take a look at what Zalando Skipper is and its main components.

Zalando Skipper is an open-source HTTP router and reverse proxy for service composition, including use cases like Kubernetes Ingress. It allows users to define HTTP routes based on a custom DSL (Domain Specific Language) to control the flow of HTTP requests to different backend services. Some of the main components of Zalando Skipper include:

Filters: Small units of code that can manipulate an HTTP request or response.

2. Predicates: Functions that evaluate conditions on HTTP requests and can be used to build complex routing rules.
3. Data clients: Components that provide routing data from various sources, such as Kubernetes Ingress, etcd, or custom APIs.

Exploit Details

The specific component affected in this vulnerability (CVE-2022-38580) is the webhook built-in filter that allows making HTTP requests to external services. The issue lies in the way the filter handles the route configuration for making these requests, which enables an attacker to manipulate the request's target URL and potentially access protected resources or internal infrastructure.

Here's a code snippet demonstrating an example of a vulnerable route configuration

- Route()
  .path("/webhook-example")
  .webhook("https://external.service/api/notification";)
  .backend("https://target.backend/service1";)

In this example, the webhook filter is configured to make an HTTP request to an external notification service. However, an attacker could exploit the vulnerability by crafting a malicious request, causing the webhook filter to send the request to an internal resource or other unintended targets.

Impact

The implications of CVE-2022-38580 could be significant, as a successful exploit could provide an attacker access to sensitive data or internal resources, facilitate attacks like Server-Side Request Forgery (SSRF), or help them bypass network security controls.

Mitigation

To mitigate CVE-2022-38580, Zalando has released Skipper v.13.237, which contains a fix for the vulnerability. It is highly recommended that affected users update to this latest version to protect their deployments from potential exploits. Additionally, users should review the use of the webhook filter in their route configurations and ensure that they are following best practices for securing this component from SSRF attacks.

Conclusion

CVE-2022-38580 is a serious vulnerability in Zalando Skipper v.13.236 that could allow an attacker to perform Server-Side Request Forgery (SSRF) attacks. By understanding the details of this vulnerability and taking appropriate precautionary measures, users can protect their deployments and mitigate any potential risks. If you're using Zalando Skipper, it's crucial to stay informed about the latest security updates and implement best practices to ensure the safety and security of your infrastructure.

For more information, please refer to the original CVE-2022-38580 advisory and the Zalando Skipper GitHub repository.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 03/28/2023 17:15:00 UTC