A significant security vulnerability known as CVE-2022-45152 has been identified in Moodle, a popular learning management system. The flaw consists of a blind Server-Side Request Forgery (SSRF) vulnerability, which allows a remote attacker to perform SSRF attacks by sending specially crafted HTTP requests. In this long read post, we will dive into the details of this vulnerability, providing code snippets, original references, and guidelines on how to address this issue.
Details of the Vulnerability
The vulnerability exists due to insufficient validation of user-supplied input in Moodle's LTI provider library. The LTI provider library does not utilize Moodle's inbuilt cURL helpers, thereby leading to a risk of blind SSRF attacks. An attacker can exploit this vulnerability by tricking the application into initiating requests to arbitrary systems.
Exploit Details
A potential attacker can exploit this vulnerability by sending a specially crafted HTTP request to the application, causing the LTI provider library to initiate requests to arbitrary systems. An example of this is demonstrated in the following code snippet:
$params = array(
'url' => 'http://attacker-controlled-system.com';
);
$lti = new LTI($params);
$response = $lti->send_request();
In this code snippet, the attacker manipulates the '$params' variable to include the attacker-controlled system's URL. When the 'send_request()' function is called, the LTI provider library initiates a request to the specified URL without proper validation, leading to the SSRF attack.
Original References
The vulnerability was first reported in Moodle's official security tracker by the security researcher who discovered it, and the details can be found here: CVE-2022-45152.
Moodle has released a security advisory that details the severity, impact, and steps to mitigate the vulnerability. You can find the official security advisory here: Moodle Security Advisory.
Remediation Steps
To address the vulnerability, administrators should update their Moodle installation to the latest version, which includes a fix for CVE-2022-45152. The fixed versions are:
Moodle 3.9.10 or later
If updating to the latest version is not immediately possible, a temporary workaround can be implemented by modifying the LTI provider library to utilize Moodle's inbuilt cURL helpers for sending requests. An example of such code modification is as follows:
// Import Moodle cURL helper
require_once($CFG->libdir . '/filelib.php');
$params = array(
CURLOPT_URL => 'http://attacker-controlled-system.com';
);
$curl = new curl();
$response = $curl->get($params);
By replacing the original implementation with this workaround, any requests initiated by the LTI provider library will be subject to Moodle's inbuilt security mechanisms, reducing the risk of SSRF attacks.
It is crucial to note that this workaround is temporary and should not replace the need to update Moodle to the latest version to ensure overall security.
Conclusion
The CVE-2022-45152 vulnerability exposes Moodle systems to potential SSRF attacks. It is essential for administrators to either update their installations to the latest fixed versions or implement the suggested temporary workaround until the upgrade can take place. Staying up-to-date with security alerts and promptly responding to vulnerabilities ensures that systems remain resilient against potential attacks.
Timeline
Published on: 11/25/2022 19:15:00 UTC
Last modified on: 02/01/2023 15:58:00 UTC