In a recent security advisory, a potentially dangerous vulnerability (CVE-2023-26492) was discovered in Directus, a real-time API and App dashboard for managing SQL database content. This vulnerability allows for Server-Side Request Forgery (SSRF) attacks, giving attackers the opportunity to access sensitive information from internal servers or perform local port scans.
What is Directus?
Directus is an open-source software that helps database administrators manage SQL databases more efficiently. It offers a real-time API and dashboard for overseeing database content, allowing users to easily create, read, update, and delete data through a flexible, customizable interface. You can find more information about Directus here.
Vulnerability Details
The vulnerability lies in the file import functionality of Directus. Specifically, when importing a file from a remote web server using a POST request to /files/import, the application is susceptible to SSRF attacks. This type of attack can occur when an attacker sends a specially crafted request to the server, which then calls arbitrary user-controlled URLs, potentially leading to information disclosure or unauthorized actions.
An attacker can bypass Directus's security controls by performing a DNS rebinding attack, allowing them to view sensitive information from internal servers or perform a local port scan. This can lead to the unauthorized access of highly sensitive internal systems and the theft of sensitive information.
The following code snippet illustrates the vulnerability
import requests
url = "https://<your-directus-instance>/files/import";
attack_payload = {"url": "http://127...1/secrets.txt";}
response = requests.post(url, json=attack_payload, headers={"Authorization": "Bearer <your-token>"})
if response.status_code == 200:
print("Successfully imported file:", response.json())
else:
print("Failed to import file. Status code:", response.status_code)
This vulnerability was reported by an independent security researcher, and Directus has since fixed this issue in version 9.23.. You can find the original advisory report here.
Threat and Impact
Attackers can exploit this SSRF vulnerability in Directus to gain unauthorized access to highly sensitive internal systems, potentially leading to the theft of sensitive information. This might include accessing internal file servers, internal APIs, or performing local port scans.
Organizations that are using vulnerable versions of Directus risk leaking sensitive information or having their data infrastructure compromised. Ensuring that internal servers are secured and properly firewalled is crucial to mitigating this vulnerability.
Solution and Mitigation
To protect against this vulnerability, users should upgrade to Directus version 9.23. or later. This version includes the necessary patch to fix the SSRF vulnerability, ensuring that attackers cannot exploit this weakness in the file import functionality.
The Directus team has provided detailed instructions for upgrading to the latest version, which you can find in the official documentation.
In addition to upgrading, organizations should continue to follow best practices for securing their API and internal servers. This includes implementing proper authentication and authorization mechanisms, applying access controls, monitoring for unusual activity, and using network-level security measures (such as firewalls and intrusion prevention systems) to protect against unauthorized access.
Conclusion
The SSRF vulnerability in Directus (CVE-2023-26492) is a significant risk for organizations relying on the platform, potentially exposing sensitive information and internal systems to determined attackers. Upgrading to the latest version (9.23.) and following best practices for securing APIs and internal servers can help mitigate this risk and ensure that your organization remains protected from threats. Always stay vigilant and monitor for new vulnerabilities and security updates to keep your systems safe.
Timeline
Published on: 03/03/2023 22:15:00 UTC
Last modified on: 03/10/2023 14:55:00 UTC