CVE-2023-37266: Unauthenticated RCE in CasaOS Personal Cloud System

Content: CasaOS is an open-source Personal Cloud system that allows users to store, share and access their data securely. Recently, a vulnerability (CVE-2023-37266) was discovered that could enable unauthenticated attackers to craft arbitrary JSON Web Tokens (JWTs) and access features that usually require authentication. This could lead to the execution of arbitrary commands as the root user on CasaOS instances, compromising the security and privacy of the users.

In this post, we provide details about the vulnerability, share a code snippet to demonstrate the issue, and discuss how the vulnerability was addressed. We also provide information on the steps users should take to protect their CasaOS instances.

Details of CVE-2023-37266

This vulnerability exists due to the improper validation of JWTs in the CasaOS authentication mechanism. An attacker can exploit this flaw by crafting a malicious JWT and sending it to a vulnerable CasaOS instance, bypassing the need for authentication and obtaining access to restricted features.

Once the attacker has gained unauthorized access, they can potentially execute arbitrary commands as the root user, leading to full control over the affected CasaOS instance and its data.

Code Snippet Demonstrating the Vulnerability

The following code snippet demonstrates how an attacker could craft a malicious JWT to exploit the vulnerability in CasaOS:

import jwt

secret_key = 'some-secret-key'
malicious_payload = {
    "sub": "123456789",
    "name": "John Doe",
    "iat": 1516239022,
    "isAdmin": True
}

jwt_token = jwt.encode(malicious_payload, secret_key, algorithm='HS256')
print(jwt_token)

In this example, an attacker could replace 'some-secret-key' with a key that is known or can be easily guessed. The malicious_payload is then used to generate a JWT, which can be sent to a vulnerable CasaOS instance to exploit the vulnerability.

How the Vulnerability was Addressed

The developers of CasaOS identified the vulnerability and addressed the issue by improving the validation of JWTs in the authentication system. This was achieved in commit 705bf1f. The patch ensures that only authorized users are able to access restricted features, effectively preventing exploitation of the vulnerability.

CasaOS .4.4 includes the patch, and users are advised to upgrade their instances to this version to protect their systems.

Steps to Protect Vulnerable CasaOS Instances

For users who cannot immediately upgrade to CasaOS .4.4, it is recommended to temporarily restrict access to CasaOS to untrusted users. This can be done by ensuring that CasaOS is not exposed publicly and is only accessible within trusted networks.

To learn more about CasaOS and its features, visit the official repository: https://github.com/IceWhaleTech/CasaOS

In conclusion, CVE-2023-37266 is a critical vulnerability in CasaOS that allows unauthenticated attackers to bypass authentication and execute arbitrary commands as root. Users should upgrade their CasaOS instances to version .4.4, which includes the patch addressing the vulnerability. If upgrading is not possible, users should temporarily restrict access to CasaOS to trusted networks to mitigate the risk.

Timeline

Published on: 07/17/2023 21:15:00 UTC
Last modified on: 07/31/2023 13:05:00 UTC