CVE-2023-41319 - Arbitrary Code Execution in Fides Webserver API - A Critical Security Vulnerability

Summary:
CVE-2023-41319 is a critical security vulnerability affecting Fides versions 2.11. through 2.19.. The vulnerability allows the execution of arbitrary code on the target system in the webserver container, which by default is root, and leverage that access to attack underlying infrastructure and integrated systems. Exploitation is limited to highly privileged users, like root and owner roles, and requires the allow_custom_connector_functions configuration parameter to be enabled. Upgrading to Fides version 2.19. or later mitigates this vulnerability.

Introduction

Fides is an open-source privacy engineering platform designed to manage data privacy requests and enforce privacy regulations in code. The Fides webserver API provides a means for custom integrations, uploaded as a ZIP file, to be leveraged. While the ZIP file should contain YAML files, Fides can also be configured to accept custom Python code. The custom code is executed in a restricted, sandboxed environment; however, this sandbox can be bypassed, enabling the execution of any arbitrary code.

Details

The arbitrary code execution vulnerability (CVE-2023-41319) affects Fides versions 2.11. through 2.19.. Exploitation is limited to API clients with the CONNECTOR_TEMPLATE_REGISTER authorization scope, which is restricted to highly privileged users in the Fides Admin UI, specifically root users and users with the owner role.

Exploitation is only possible if the security configuration parameter allow_custom_connector_functions is enabled by the user deploying the Fides webserver container, either in fides.toml or by setting the env var FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True. By default, this configuration parameter is disabled.

# Exploit code snippet
import os
os.system("YOUR_ARBITRARY_CODE_HERE")

The vulnerability has been patched in Fides version 2.19.. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that allow_custom_connector_functions in fides.toml and the FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS are both either unset or explicit set to False.

Original references

- Fides GitHub Repository
- Fides Webserver API Documentation
- Fides Changelog and CVE Announcement

Upgrade to Fides version 2.19. or later.

2. Ensure that allow_custom_connector_functions in fides.toml and the FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS are both either unset or explicit set to False.

By following these steps, you will mitigate the risk of arbitrary code execution on the target system within the context of the webserver python process owner on the webserver container, securing your underlying infrastructure and integrated systems.

Timeline

Published on: 09/06/2023 18:15:00 UTC
Last modified on: 09/13/2023 14:25:00 UTC