Summary

Title: Server-Side Request Forgery in Arctic Hub URL Mapper allows an unauthenticated remote attacker to exfiltrate and modify configurations and data.

CVE Identifier: CVE-2024-12867

Affected Software: Arctic Hub versions from 3.0.1764 to 5.5.1872 are vulnerable.

Date Published: Fixed release 5.6.1877 along with a release note about the vulnerability was published on December 12, 2024.

Description: Server-Side Request Forgery in the URL Mapper component of the Arctic Hub allows a remote attacker to cause a denial of service, to exfiltrate data, to download and change configurations, and to push data and configurations to the Hub without access credentials. Integrity of logging is not affected and potential exploitation of the vulnerability can be observed in application logs.

Credits: Bob Van der Smissen and the 'Hack the Government' ethical hacking event hosted by the Centre for Cybersecurity Belgium (CCB)

Technical Details

Background

One of the primary functions of Arctic Hub is to send email notifications about cyber threats to end-users, as configured by the Hub operator. By default, these notifications use a data sharing link that allows recipients to fetch threat data from the Sharing API which is a part of the external API of the product. Sharing API is designated for sharing different access-controlled views to the data stored in the Hub.

Prior to Arctic Hub version 3.0.1764, data sharing links pointed directly to the Sharing API. These URLs contained either the customer's API key as a URL parameter or a placeholder for an API key parameter that the customer could replace with their separately shared key.

Both of these options had drawbacks, so version 3.0.1764 introduced a new feature: using shortened URLs in email notifications. This was implemented through the URL Mapper component.

The URL Mapper allows sending notifications with shortened random URLs. Shortened URLs are unique for each notification and are translated to Sharing API calls in the URL Mapper. When a user accesses a shortened URL, the URL Mapper fetches the corresponding data from the Sharing API and passes it through to the caller.

Mappings required to access the Sharing API are stored by the URL Mapper for 30 days, unless configured otherwise.

Description of the Vulnerability

We received a report from the CCB (Centre for Cybersecurity Belgium) about a Denial of Service (DoS) vulnerability in the URL Mapper. The issue had been discovered by Bob Van der Smissen as part of the 'Hack the Government' ethical hacking event.

The report stated that it was possible to block the URL Mapper operation for 30-40 seconds at a time by accessing it through a specific sequence of calls. The URL Mapper was not able to serve any requests during this time, so a remote attacker could block a part of the data sharing function of Arctic Hub by exploiting the vulnerability. We were able to replicate the issue and locate the root cause.

The root cause of the reported DoS issue motivated the Arctic Security R&D team to investigate further. As a result, the team was able to find a way to expand the vulnerability into a Server-Side Request Forgery (SSRF). A successful SSRF requires information about the internal operation and component names of the Arctic Hub, which are not publicly exposed.

Three separate flaws contributed to the root cause of the vulnerability:

• It was possible for a remote unauthenticated user to create new URL mappings in the URL Mapper component, which was not intended.
• A flaw in the URL Mapper component made it possible to manipulate the created URL mappings so that the shortened URLs end up accessing resources that the URL mapper was not designed to access.
• The URL Mapper container had access to internal resources it did not require.

The initially reported DoS was possible through point 1 above, by creating a new URL mapping which pointed to the URL Mapper itself. Calling the resulting shortened URL resulted in a recursive call within the URL Mapper which blocked the operation until a timeout occurred.

Impact

By successfully exploiting the SSRF, a remote attacker can cause a denial of service, exfiltrate data, download and change configurations, and push data and configurations to the Hub without access credentials. Integrity of logging is not affected and exploitation of the vulnerability can be observed in the application logs.

Affected versions

Arctic Hub versions from 3.0.1764 to 5.5.1872 are vulnerable. The first version with a fix to the vulnerability is 5.6.1877.

Mitigation

Upgrade Arctic Hub to version 5.6.1877 or above. If upgrading is not possible, apply the hotfix as instructed in the version 5.6.1877 release note which was distributed to all Arctic Hub customers on 12th of December 2024.

Checking for Exploitation

The vulnerability does not compromise the integrity of logging and exploitation of the vulnerability can be observed in the URL Mapper HTTP access log, located in the following path on the Arctic Hub instance:
/var/lib/arcsec-hub/logs/arcsec.url_mapping.http_access.log

Instructions to download a helper tool to check for possible exploitation attempts were distributed to all Arctic Hub customers as part of the version 5.6.1877 release note.

At the time of releasing this document we are not aware of any attempts to exploit the vulnerability in our own systems or customer base.

HTTP access logs for the URL Mapper component are rotated automatically at system startup if the log size exceeds a specific threshold, but the rotated files are not removed automatically. Therefore, the URL Mapper logs are available from the system initialization time until the present, unless they have been manually archived or removed.

Timeline

2024-12-06: Arctic Security received a report about a DoS vulnerability in the URL Mapper API.

2024-12-09: Arctic Security R&D team was able to replicate the DoS vulnerability. The team discovered the root cause of the DoS issue and implemented a fix on the same day.

2024-12-10: Arctic Security R&D team continued internal investigation based on the reported vulnerability and found out a way to expand it from the DoS to a SSRF. The team identified the root cause for the SSRF and started to work on a fix. The fix was finalized later on the same day.

2024-12-11: Arctic Security R&D team implemented a helper tool to assist users by:

1.  Implementing a hotfix to any of the earlier vulnerable versions so that users who are not able to upgrade right away can have a temporary solution.
2. By helping users to check for any suspicious activity in their logs related to the vulnerability.

2024-12-12: After release testing Arctic Security released Arctic Hub 5.6.1877 containing the fix, along with a release note to explain the vulnerability. An access link to the helper tool was provided as part of the release note.

2024-12-13: After getting confirmation from CCB that no duplicate CVE entry has been made, Arctic Security requested a CVE number from its local CNA, the National Cyber Security Centre Finland (NCSC-FI).

2024-12-20: Arctic Security published this vulnerability note.

Lessons Learned

Security has been a key driver in our R&D work, and it has significantly affected our design decisions and architecture. Both 3rd party auditors and our customers have conducted audits to review the security of our products. Despite these efforts, we failed to discover this issue and are determined to address the reasons behind it.

Understanding how it happened, we are going to conduct the following practical measures:

•  We will introduce an additional "security review of the design change" -step when architectural changes are made to externally exposed components and data paths or authentication mechanisms.
• We are reviewing our component isolation strategies to ensure that all components have the least privileges required.

Acknowledgements

The issue was discovered and reported to us by Bob Van der Smissen as part of the 'Hack the Government' ethical hacking event hosted by the Centre for Cybersecurity Belgium (CCB). We would like to thank Bob and CCB for the discovery and collaboration in resolving the vulnerability.