CVE-2023-46738

Authenticated users can crash the CubeFS servers with maliciously crafted requests

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. In addition, the attacker would need to know the names of existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other mitigation besides upgrading.

CubeFS es un sistema de almacenamiento de archivos nativo de la nube de código abierto. Se encontró una vulnerabilidad de seguridad en CubeFS HandlerNode en versiones anteriores a la 3.3.1 que podría permitir a los usuarios autenticados enviar solicitudes manipuladas con fines malintencionados que bloquearían el ObjectNode y negarían a otros usuarios su uso. La causa principal fue el manejo inadecuado de las solicitudes HTTP entrantes que podrían permitir a un atacante controlar la cantidad de memoria que asignaría el ObjectNode. Una solicitud maliciosa podría hacer que el ObjectNode asigne más memoria de la que la máquina tenía disponible, y el atacante podría agotar la memoria mediante una única solicitud maliciosa. Un atacante necesitaría estar autenticado para poder invocar el código vulnerable con su solicitud maliciosa y tener permisos para eliminar objetos. Además, el atacante necesitaría conocer los nombres de los depósitos existentes de la implementación de CubeFS; de lo contrario, la solicitud sería rechazada antes de llegar al código vulnerable. Como tal, el atacante más probable es un usuario interno o un atacante que ha violado la cuenta de un usuario existente en el clúster. El problema se solucionó en la versión 3.3.1. No existe otra mitigación además de la actualización.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-25 CVE Reserved
2024-01-03 CVE Published
2024-01-11 EPSS Updated
2024-08-27 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (2)

URL	Tag	Source
https://github.com/cubefs/cubefs/security/advisories/GHSA-qc6v-g3xw-grmx	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/cubefs/cubefs/commit/dd46c24873c8f3df48d0a598b704ef9bd24b1ec1	2024-01-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Cubefs Search vendor "Linuxfoundation" for product "Cubefs"				< 3.3.1 Search vendor "Linuxfoundation" for product "Cubefs" and version " < 3.3.1"		-		Affected