Multiple vulnerabilities in Apollo Configuration Management System [CVE-2023-25569, CVE-2023-25570]

We discussed this vulnerability during Episode 197 on 20 March 2023

Three vulns in Apollo Configuration Management System (two of which were recognized as CVEs). The first vuln (which isn’t acknowledged by the vendor) is a Spring Expression Language (SpEL) issue where various settings are merged with spring framework properties, allowing SpEL injection for RCE. It wasn’t acknowledged as an issue since you need admin-level access, but it does escalate from admin access to code execution.

The second vuln was an auth bypass in the service registry (“Eureka”), which is used for registering the config, admin, and other services. Since the config and admin service are obviously sensitive, they have token-based authentication. The problem is, eurka runs on the same instance as the config and admin services with no auth checks. If you have access to it, you can leak the token by sending a service registration request to eureka and ask it to create a new instance of the admin app. Then, whenever a request is made from the app to the admin service, it’ll send the token in the request to the instance URL specified in the attacker XML config.

The last bug is a CSRF issue due to a lack of CSRF protection in the AuthConfiguration class. In most cases, this isn’t an issue, since most methods that mutate data expect json-encoded data protected by Cross-Origin Resource Sharing (CORS). However, a few methods (such as PermissionController::addManageAppMasterRoleToUser()) just use path variables. This specific method can be CSRF’d to grant roles to an attacker’s account. This will only work on firefox, safari, and other browsers that don’t set the SameSite=Lax.