Skip to content

ReDoS on endpoint html5client/useragent

High
antobinary published GHSA-rwrv-p665-4vwp Jun 1, 2022

Package

No package listed

Affected versions

2.2, <2.3.19, <2.4.7, <2.5.0-beta.2

Patched versions

2.3.19, 2.4.7, 2.5.0-beta.2

Description

Impact

By using specific a RegularExpression an attacker can cause denial of service for the bbb-html5 service.
The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). Attackers can abuse this to perform a denial of service by sending a specially-constructed regular expression which triggers excessive processing within the regular expression engine.

Patches

Given the limited use of the html5client/useragent endpoint, we have opted to remove it from the code altogether. Its use for Legacy client checks has transitioned to using a different library months ago. BigBlueButton's documentation has been updated to point to a different online service to find one's user agent.

Patch in BigBlueButton 2.3.19
Patch in BigBlueButton 2.4.7
Patch in BigBlueButton 2.5.0-beta.2

Workarounds

If you are not able to upgrade to a patched version, you can eliminate the attack surface by disabling NginX forwarding the requests to the handler. Add the following block to your NginX configuration.

location /html5client/useragent {
  return 404;
}

For BigBlueButton 2.3 or 2.4 a good place to add this block would be in /etc/bigbluebutton/nginx/
For BigBlueButton 2.5 a good place to add this block would be in /usr/share/bigbluebutton/nginx/

Reload via sudo systemctl reload nginx

Test this change by navigating to <yourserver.com>/html5client/useragent -- if you see 404, the workaround is active.

For more information

If you have any questions or comments about this advisory:

Credits

We would like to thank Giang. Võ Quý from VNG Corporation for responsibly disclosing and assisting with the fixing of this security issue.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-29169

Weaknesses

No CWEs