Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299).
The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment.
In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.
Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.
SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.
What is Appsmith
Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.
How does Appsmith work?
Appsmith dashboards and panels can be set up in 4 steps:
- Connect Datasource: Integrate with a data source such as a database or an API. Appsmith has plug-and-play support for many databases and RESTful API interface to connect with most tools.
- Build UI: Use customizable built-in widgets to build an app layout.
- Access Data: Connect UI to the data source by writing queries and binding the data to widgets.
- Collaborate, Deploy, and Share: It supports version control with Git, to track changes, create rollbacks, and to collaborate using git branches. Deploy the app and share it with other users.
SSRF Vulnerability in Appsmith’s REST Client (CVSS:3.0 Score: 8.8)
One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.
On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.
Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.
List of Disallowed Domains
Condition to validate hostname
In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.
So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:
Redirect.php file content
Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.
SSRF Vulnerability in Appsmith’s Elasticsearch (CVSS:3.0 Score: 8.2)
One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.
Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.
When this query is run, it returns the temporary security credentials for your AWS role.
While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.
In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
- Disallow redirects in the HTTP Client of REST Import service.
- Update to versions 1.7.12 and above.
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Timeline for this disclosure process can be found below:
- 05 Aug 2022: Disclosure of first SSRF to Appsmith
- 05 Aug 2022: Initial response from Appsmith with acknowledgement for the vulnerability
- 06 Aug 2022: Disclosure of second SSRF to Appsmith
- 08 Aug 2022: Response from Appsmith with acknowledgement for the second vulnerability
- 09 Aug 2022: Appsmith releases patch for both the vulnerabilities.
- 10 Aug 2022: We filed for the CVE
- 13 Sep 2022: CVE ID assigned by cve.org