{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/firefighter-incident--0.0.54/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["firefighter-incident (\u003c 0.0.54)","Jira"],"_cs_severities":["critical"],"_cs_tags":["ssrf","cloud","iam","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eFireFighter, a tool for incident management, contains a critical SSRF vulnerability affecting versions prior to 0.0.54. The vulnerability resides in the \u003ccode\u003eCreateJiraBotView\u003c/code\u003e endpoint (\u003ccode\u003e/api/v2/firefighter/raid/jira_bot\u003c/code\u003e), which lacks authentication and proper URL validation. An attacker can exploit this flaw to send arbitrary HTTP requests from the FireFighter server, including requests to internal cloud metadata endpoints. Specifically, in EC2/EKS environments without IMDSv2, this SSRF can be leveraged to steal temporary AWS credentials associated with the pod\u0026rsquo;s IAM role. Successful exploitation allows an attacker to gain unauthorized access to cloud resources. The vulnerable code is located in \u003ccode\u003esrc/firefighter/raid/views/__init__.py\u003c/code\u003e, \u003ccode\u003esrc/firefighter/raid/serializers.py\u003c/code\u003e, and \u003ccode\u003esrc/firefighter/raid/client.py\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to the \u003ccode\u003e/api/v2/firefighter/raid/jira_bot\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request including an \u003ccode\u003eattachments\u003c/code\u003e parameter containing a URL pointing to a sensitive internal resource, such as the cloud metadata endpoint (\u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLandbotIssueRequestSerializer.attachments\u003c/code\u003e component processes the request without proper URL validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpx.get()\u003c/code\u003e function fetches the content from the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe response from the metadata endpoint (containing AWS credentials) is retrieved by the FireFighter server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRaidJiraClient.add_attachments_to_issue\u003c/code\u003e function attaches the metadata response to a new Jira ticket.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the Jira ticket, extracting the attached file containing the stolen AWS credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen AWS credentials to gain unauthorized access to the compromised cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to the theft of AWS IAM credentials in environments that do not enforce IMDSv2. This allows an attacker to gain unauthorized access to cloud resources, potentially leading to data breaches, service disruption, or other malicious activities. The number of affected deployments is currently unknown, but any FireFighter instance prior to version 0.0.54 is susceptible. Organizations using FireFighter for incident management are urged to upgrade immediately.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FireFighter to version 0.0.54 or later to patch the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eBlock access to the \u003ccode\u003e/api/v2/firefighter/raid/jira_bot\u003c/code\u003e endpoint from untrusted networks as a temporary workaround, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement IMDSv2 with \u003ccode\u003eHttpPutResponseHopLimit=1\u003c/code\u003e on EC2/EKS nodes to mitigate the risk of IAM credential theft, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the FireFighter server, specifically looking for outbound connections to the cloud metadata endpoint (169.254.169.254) using network connection logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-firefighter-ssrf/","summary":"FireFighter versions before 0.0.54 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `/api/v2/firefighter/raid/jira_bot` endpoint, allowing attackers to potentially steal IAM credentials in cloud environments.","title":"FireFighter Unauthenticated SSRF Leads to Potential IAM Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-03-firefighter-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Firefighter-Incident (\u003c 0.0.54)","version":"https://jsonfeed.org/version/1.1"}