Skip to content

Bypassing rate limiting with X-Forwarded-For header

Moderate
renchap published GHSA-c2r5-cfqr-c553 May 30, 2024

Package

No package listed

Affected versions

<= 4.2.8, <= 4.1.16

Patched versions

4.2.9, 4.1.17

Description

Summary

Rate limiting is applied to most API endpoints by default. However, in some incorrect configurations, the measure can be circumvented by setting the request header X-Forwarded-For: 127.0.0.1.

Details

Provided they manage to directly connect to puma, an attacker can spoof their IP address by setting the X-Forwarded-For or Client-Ip HTTP header, and use that to bypass most rate-limiting.

Indeed, Rails' RemoteIp middleware, as used in Mastodon, will always trust the last (closest) X-Forwarded-For or Client-Ip header even if it comes from an untrusted source.

Furthermore, most of Mastodon's rate-limiting is done through rack-attack and explicitly exempting 127.0.0.1 from those, allowing an attacker to bypass them if they manage to spoof their IP address.

Impact

By bypassing the rate limiting measure, all other protective measures based on it (such as brute force detection) are also rendered ineffective.
An attacker could, for example, try to guess valid usernames and corresponding passwords in an automated fashion.
In addition, users could use the X-Forwarded-For header to pretend to connect from a different IP address (in the associated log entry).

However, the impact is limited by the fact that the attacker needs to be able to provide its own X-Forwarded-For or Client-Ip header without any being appended by a remote-proxy, effectively requiring the Mastodon server to be misconfigured.

Note

This security issue has been found by mgm security partners, during a security audit commissioned by the BSI.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CVE ID

CVE-2023-49952

Weaknesses

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. Learn more on MITRE.

Credits