From: Red Hat Product Security <secalert@redhat.com>
To: security@redhat.com, kernelci@lists.linux.dev
Subject: Re: ZDI-CAN-22317: New Vulnerability Report
Date: Fri, 13 Oct 2023 04:03:57 -0700 (PDT) [thread overview]
Message-ID: <10938477.32355.1697195037303@app130155.ycg3.service-now.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 6841 bytes --]
Hello!
INC2757115 (ZDI-CAN-22317: New Vulnerability Report) has been acknowledged.
Opened for: security@redhat.com
Followers: kernelci@lists.linux.dev
A Guest updated your request with the following comments:
Reply from: security@redhat.com [mailto:security@redhat.com]
Dear Nitesh Surana,
Thank you for bringing this security advisory to our attention. We have
revoked the exposed token and are working to provide early access users
with personal tokens and self-hosted solutions for uploading their
files.
While the exposed token did not pose a risk to users, as any files
published in this share are public and not used in a production
environment, we understand that this incident may have caused concern.
We will provide further updates via this public mailing list.
Thank you for your cooperation.
On Thu, 2023-10-12 at 21:44 +0000, zdi-disclosures@trendmicro.com [mailto:zdi-disclosures@trendmicro.com]
wrote:
> ZDI-CAN-22317: KernelCI SAS Token Incorrect Permission Assignment
> Authentication Bypass Vulnerability
>
> -- CVSS -----------------------------------------
>
> 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
>
> -- ABSTRACT -------------------------------------
>
> Trend Micro's Zero Day Initiative has identified a vulnerability
> affecting the following products:
> KernelCI - KernelCI
>
> -- VULNERABILITY DETAILS ------------------------
> * Version tested: NA
> * Installer file: hxxps://kernelci.org/ [http://kernelci.org/]
> * Platform tested: Azure
>
> ---
>
> ### Analysis
>
>
> We found an overly permissive SAS token mentioned in the GitHub
> repository for Kernel CI (an upstream Linux Kernel validation project
> under The Linux Foundation). The token allows for write access on the
> Storage Account, allowing anyone with the publicly available
> token+URL to possibly.
>
> While checking for files on GitHub with possible SAS tokens having
> the expiry sometime after 2023 and having read and write permissions
> on the storage service (blob, file, queue), we come across the below
> code snippet
>
> ```
> hxxps://github.com/kernelci/kernelci [http://github.com/kernelci/kernelci]-
> project/blob/104f95d1909fcccd7389f4a42ffa11a4d8d30cc8/kernelci.org/co [http://kernelci.org/co]
> ntent/en/docs/admin/api.md?plain=1#L91 [http://api.md?plain=1#L91]
> ```
>
> The over-permissive SAS token is: "sv=2022-11-
> 02&ss=bfq&srt=sco&sp=rwdlacpitfx&se=2023-12-03T00:00:00Z&st=2023-09-
> 04T00:00:00Z&spr=https&sig=g1lP2bLomBFr81hNnxi%2Bdi%2F8rvLI0aOZgzIgiZ
> NDnIg%3D"
>
> ```
> - The SAS token expires on `2023-12-03`
> - The permissions `rwdlacpitfx` are over-permissive (Read, Write,
> Delete, List, Add, Create, Process, Immutability, Tag, Filter, Delete
> Version)
> - The storage types accessible are blob, file, queue
> ```
>
> Using Azure Storage Explorer, we could read write and list the
> contents of all the storage types in the Storage Account.
>
>
> An attacker could modify any file on the File Share of the Storage
> Account and possibly impact users of Kernel CI. The expectation is to
> see that the SAS token allows for read, write and delete operations
> (based on the documentation at
> https://github.com/kernelci/kernelci-api/blob/b7a0f8f19fdba8f9649b282bd2d6fef874820efc/doc/early-access.md?plain=1#L149 [https://github.com/kernelci/kernelci-api/blob/b7a0f8f19fdba8f9649b282bd2d6fef874820efc/doc/early-access.md?plain=1#L149]
> ). However, any user with the SAS token and File Share URL could
> control files on the File Share of the Storage Account.
>
>
> -- CREDIT ---------------------------------------
> This vulnerability was discovered by:
> Nitesh Surana (@_niteshsurana) of Trend Micro
>
> -- FURTHER DETAILS ------------------------------
>
> Supporting files:
>
>
> If supporting files were contained with this report they are provided
> within a password protected ZIP file. The password is the ZDI
> candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID
> number.
>
> Please confirm receipt of this report. We expect all vendors to
> remediate ZDI vulnerabilities within 120 days of the reported date.
> If you are ready to release a patch at any point leading up to the
> deadline, please coordinate with us so that we may release our
> advisory detailing the issue. If the 120-day deadline is reached and
> no patch has been made available we will release a limited public
> advisory with our own mitigations, so that the public can protect
> themselves in the absence of a patch. Please keep us updated
> regarding the status of this issue and feel free to contact us at any
> time:
>
> Zero Day Initiative
> zdi-disclosures@trendmicro.com [mailto:zdi-disclosures@trendmicro.com]
>
> The PGP key used for all ZDI vendor communications is available from:
>
> http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc [http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc]
>
> -- INFORMATION ABOUT THE ZDI --------------------
> Established by TippingPoint and acquired by Trend Micro, the Zero Day
> Initiative (ZDI) neither re-sells vulnerability details nor exploit
> code. Instead, upon notifying the affected product vendor, the ZDI
> provides its Trend Micro TippingPoint customers with zero day
> protection through its intrusion prevention technology. Explicit
> details regarding the specifics of the vulnerability are not exposed
> to any parties until an official vendor patch is publicly available.
>
> Please contact us for further details or refer to:
>
> http://www.zerodayinitiative.com [http://www.zerodayinitiative.com]
>
> -- DISCLOSURE POLICY ----------------------------
>
> Our vulnerability disclosure policy is available online at:
>
> http://www.zerodayinitiative.com/advisories/disclosure_policy/ [http://www.zerodayinitiative.com/advisories/disclosure_policy/]
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is
> confidential and may be subject to copyright or other intellectual
> property protection. If you are not the intended recipient, you are
> not authorized to use or disclose this information, and we request
> that you notify us by reply mail or telephone and delete the original
> message from your mail system.
>
> For details about what personal information we collect and why,
> please see our Privacy Notice on our website at: Read privacy
> policy<http://www.trendmicro.com/privacy [http://www.trendmicro.com/privacy]>
>
How can I track and update my request?
To respond, reply to this email. You may also create a new email and include the request number (INC2757115) in the subject.
Thank you,
Product Security
Ref:MSG80461454
[-- Attachment #1.2: Type: text/html, Size: 9956 bytes --]
next reply other threads:[~2023-10-13 11:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-13 11:03 Red Hat Product Security [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-10-12 21:44 ZDI-CAN-22317: New Vulnerability Report zdi-disclosures
2023-10-13 11:01 ` Denys Fedoryshchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10938477.32355.1697195037303@app130155.ycg3.service-now.com \
--to=secalert@redhat.com \
--cc=kernelci@lists.linux.dev \
--cc=security@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).