Dapr is a flexible, event-driven runtime that is designed to streamline the development and deployment of distributed applications across cloud and edge environments. In this post, we discuss a recently discovered vulnerability (CVE-2024-35223) that exposes the app token of an invoker application when using Dapr as a gRPC proxy for remote service invocation. This vulnerability poses a significant threat to users who rely on both Dapr as a gRPC proxy for remote service invocation and the Dapr App API token functionality. With the release of version 1.13.3, the vulnerability has been successfully patched.

Vulnerability Details

When using Dapr as a gRPC proxy for remote service invocation, the system inadvertently sends the app token of the invoker application rather than that of the invoked application. As a result, the invoker app's token is leaked to the invoked app, thus compromising the security and authentication mechanisms.

Below is a code snippet illustrating how the app token is incorrectly sent.

func (a *api) Invoke(ctx context.Context, req *pb.InvokeRequest) (*common.InvokeResponse, error) {
    ...
    appToken, err := a.appToken.GetToken()
    if err != nil {
        return nil, err
    }

    // Leaking appToken instead of invoked app token
    ctx = metadata.AppendToOutgoingContext(ctx,appidHeader, req.AppId, tokenHeader, appToken)
    ...
}

The function above should send the token of the invoked app, but it mistakenly sends the invoker app's token instead.

- Dapr GitHub issue: https://github.com/dapr/dapr/issues/4095
- Dapr Pull Request with fix: https://github.com/dapr/dapr/pull/4097

Exploitation and Mitigation

An attacker exploiting this vulnerability could gain access to the app token of the invoker application, which would compromise the security of that app and potentially enable the attacker to bypass authentication mechanisms.

To mitigate this vulnerability, it is crucial for all Dapr users relying on gRPC proxy for remote service invocation and using the App API token functionality to upgrade their installations to Dapr version 1.13.3 or later.

Here's an example of the patched code snippet

func (a *api) Invoke(ctx context.Context, req *pb.InvokeRequest) (*common.InvokeResponse, error) {
    ...
    // Retrieve the invoked app's token
    invokedAppToken, err := a.getInvokedAppToken(req.AppId)
    if err != nil {
        return nil, err
    }

    // Send invoked app token instead of invoker app token
    ctx = metadata.AppendToOutgoingContext(ctx, appidHeader, req.AppId, tokenHeader, invokedAppToken)
    ...
}

In the patched code, the getInvokedAppToken() function retrieves the app token specific to the invoked app, and Dapr now correctly sends the token of the invoked app instead of that of the invoker app.

Conclusion

CVE-2024-35223 is a critical vulnerability that compromises the security of Dapr applications using gRPC proxy for remote service invocation and the App API token functionality. Dapr developers have addressed this issue in version 1.13.3, and users are urged to upgrade their installations to protect against potential exploits.

Timeline

Published on: 05/23/2024 09:15:09 UTC
Last modified on: 06/04/2024 17:34:03 UTC