############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Replicated Classic [1] # Vendor: Replicated # CSNC ID: CSNC-2021-019 # CVE ID: CVE-2021-42718 # Subject: Information Disclosure via API # Risk: Medium # Effect: Remotely exploitable # Author: Stephan Sekula (advisories@compass-security.com) # Date: 25.10.2021 # ############################################################# Introduction: ------------- Out of the box, Replicated gives you everything you need to start shipping an installable version of your application securely and quickly. [1] Compass Security discovered a security flaw in Replicated Classic, which discloses sensitive information via the product's API. Affected: --------- Vulnerable: * < 2.53.1 Not Vulnerable: * 2.53.1 No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- Software, version, configuration, passwords, secrets, etc. are disclosed via the API. Request: GET /api/v1/eventstream HTTP/1.1 Host: [CUT] Cookie: [CUT] [CUT] Connection: close Response: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/event-stream Vary: Cookie Date: Thu, 16 Sep 2021 05:08:48 GMT Connection: close Transfer-Encoding: chunked [CUT] data:{"releases":[{"AppID":"[CUT]","Version":16360,"PatchVersion":0, "VersionLabel":"2021.3-20210914-163011","Name":"[CUT]",[CUT] [CUT] data:{"cluster_node_state":[{"Node":{"ID":"[CUT]","Tags":["local"], "PrivateAddress":"[CUT]","PublicAddress":"[CUT]","DockerAddress":"[CUT]", "InterfaceAddresses":{"eth0":"[CUT]"},"ContainerID":"[CUT]", "SystemInfo":{"Platform":"linux","PlaformVersion":"[CUT]", "PlaformVersionID":"[CUT]",[CUT]}]} [CUT] data:{[CUT],"secret_token":"[CUT]","update_token":"[CUT]",[CUT]} [CUT] "ExposedPorts":{"8087/tcp":{}},"Env":["GEBCN_BUILT_IN__REGISTRATION__CONTROLLER=[CUT]", "GEBCN_BUILT_IN__REGISTRATION__SECRET=[CUT]",[CUT],"POSTGRES_USER=[CUT]", "POSTGRES_PASSWORD=[CUT]" [CUT] Workaround / Fix: ----------------- Install the current patch, which will remove sensitive information from API responses. Timeline: --------- 2021-09-16: Discovery by Stephan Sekula 2021-09-16: Initial vendor notification 2021-09-16: Initial vendor response 2021-09-23: Release of patch 2021-10-21: Assigned CVE-2021-28975 2021-10-25: Public disclosure References: ----------- [1] https://www.replicated.com/