A critical issue has been reported affecting versions of Seq up to and including 4.2.476. This application logic error permits a user with access to the HTTP API gain full access to the Seq server.
Seq servers with authentication enabled need to be upgraded to the latest Seq release available at https://getseq.net/download. Customers without active support/maintenance should contact support@getseq.net for information regarding a down-level patch.
Timeline
On February 6th 2018 we were notified privately of the existence of the bug
We immediately verified the issue and evaluated options for mitigation; having determined that a low-risk fix was possible, we commenced work on a new version to resolve the issue
Within 24 hours of the report we emailed customers and active trial users with information about the bug and availability of the fixed release; we also produced and included a down-level patch for customers running unsupported/legacy versions
To allow for upgrades to take place, a minimum 30-day window was provided before raising this publicly-visible report
In the interests of our customers, Datalust will not confirm or disclose security issues until an investigation has been completed and patches or mitigations are available.
Details
Authentication and authorization are separate in the v4.2 Seq security model. Unauthenticated requests are allowed access to various assets required for correctly displaying the #/login page; further authorization is bypassed when allowed unauthenticated requests are processed.
Among these assets are a group of four system settings including authentication options and some details of the authentication provider.
A missing check for the HTTP PUT method inadvertently enabled write access to these settings, through which the authentication provider can be modified or disabled.
Impact
By disabling authentication, an attacker may gain admin access to the Seq web application. Through the plug-in "app" mechanism, this can be used to execute code on the Seq server with the capabilities/access level of the Seq.exe process.
The bug cannot be used to read user passwords, which for basic authentication are stored by Seq as salted PBKDF2 hashes.
The bug is not exploitable through a port locked down as ingestion-only, i.e. using the api.ingestionPort configuration setting.
Patch availability
The bug is fixed in Seq versions 4.2.605 onwards. All users with a supported Seq license relying on authentication should update immediately to the most recent Seq 4.2 version (version 4.2.822 at the time of writing.
Users without current support/maintenance can access a patch for earlier versions by contacting support@getseq.net.
Postmortem
We have identified two main factors that enabled this bug to remain undetected:
Programmatic security configuration: the endpoints in question do appear to perform correct security checks, however because the responsibility for implementing this was spread between several unrelated blocks of code, the override was not obvious to inspection
A test blindspot covering code added very early in product development: the settings mechanism was added very early in product development, at a time when integration test coverage was low; as testing has matured along with the rest of the product, some older code remained with low test coverage
As a result, a new, declarative security model has been implemented for Seq 5.0. This provides a basis for more precise test coverage, and also produces auditable documentation directly from the API security configuration.
We have also undertaken a further review of Seq 4.2. Additional test coverage has been added, and in versions from 4.2.717 onwards we took the additional step of centralizing a public URL/method white-list to improve auditability and reduce the likelihood of re-introducing this kind of issue in later code changes.
We're sorry for any inconvenience caused by this bug and would like to reiterate our commitment to producing the most secure Seq possible, and our dedication to handling security issues in a responsible and timely manner. Customers with questions or concerns may contact support@getseq.net for assistance.
Datalust is grateful to Daniel Chactoura of STOLabs for identifying and privately disclosing this issue.
The text was updated successfully, but these errors were encountered:
nblumhardt
changed the title
Authentication bypass in builds up to and including 4.2.476
CVE-2018-8096 Authentication bypass in builds up to and including 4.2.476
Apr 7, 2020
A critical issue has been reported affecting versions of Seq up to and including 4.2.476. This application logic error permits a user with access to the HTTP API gain full access to the Seq server.
Seq servers with authentication enabled need to be upgraded to the latest Seq release available at https://getseq.net/download. Customers without active support/maintenance should contact support@getseq.net for information regarding a down-level patch.
Timeline
In the interests of our customers, Datalust will not confirm or disclose security issues until an investigation has been completed and patches or mitigations are available.
Details
Authentication and authorization are separate in the v4.2 Seq security model. Unauthenticated requests are allowed access to various assets required for correctly displaying the
#/loginpage; further authorization is bypassed when allowed unauthenticated requests are processed.Among these assets are a group of four system settings including authentication options and some details of the authentication provider.
A missing check for the HTTP
PUTmethod inadvertently enabled write access to these settings, through which the authentication provider can be modified or disabled.Impact
By disabling authentication, an attacker may gain admin access to the Seq web application. Through the plug-in "app" mechanism, this can be used to execute code on the Seq server with the capabilities/access level of the
Seq.exeprocess.The bug cannot be used to read user passwords, which for basic authentication are stored by Seq as salted PBKDF2 hashes.
The bug is not exploitable through a port locked down as ingestion-only, i.e. using the
api.ingestionPortconfiguration setting.Patch availability
The bug is fixed in Seq versions 4.2.605 onwards. All users with a supported Seq license relying on authentication should update immediately to the most recent Seq 4.2 version (version 4.2.822 at the time of writing.
Users without current support/maintenance can access a patch for earlier versions by contacting support@getseq.net.
Postmortem
We have identified two main factors that enabled this bug to remain undetected:
As a result, a new, declarative security model has been implemented for Seq 5.0. This provides a basis for more precise test coverage, and also produces auditable documentation directly from the API security configuration.
We have also undertaken a further review of Seq 4.2. Additional test coverage has been added, and in versions from 4.2.717 onwards we took the additional step of centralizing a public URL/method white-list to improve auditability and reduce the likelihood of re-introducing this kind of issue in later code changes.
We're sorry for any inconvenience caused by this bug and would like to reiterate our commitment to producing the most secure Seq possible, and our dedication to handling security issues in a responsible and timely manner. Customers with questions or concerns may contact support@getseq.net for assistance.
Datalust is grateful to Daniel Chactoura of STOLabs for identifying and privately disclosing this issue.
The text was updated successfully, but these errors were encountered: