Firefighter-Incident (< 0.0.54) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/firefighter-incident--0.0.54/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000FireFighter Unauthenticated SSRF Leads to Potential IAM Credential Thefthttps://feed.craftedsignal.io/briefs/2024-01-03-firefighter-ssrf/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-firefighter-ssrf/FireFighter versions before 0.0.54 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `/api/v2/firefighter/raid/jira_bot` endpoint, allowing attackers to potentially steal IAM credentials in cloud environments.FireFighter, a tool for incident management, contains a critical SSRF vulnerability affecting versions prior to 0.0.54. The vulnerability resides in the CreateJiraBotView endpoint (/api/v2/firefighter/raid/jira_bot), which lacks authentication and proper URL validation. An attacker can exploit this flaw to send arbitrary HTTP requests from the FireFighter server, including requests to internal cloud metadata endpoints. Specifically, in EC2/EKS environments without IMDSv2, this SSRF can be leveraged to steal temporary AWS credentials associated with the pod’s IAM role. Successful exploitation allows an attacker to gain unauthorized access to cloud resources. The vulnerable code is located in src/firefighter/raid/views/__init__.py, src/firefighter/raid/serializers.py, and src/firefighter/raid/client.py.

Attack Chain

  1. An unauthenticated attacker sends a POST request to the /api/v2/firefighter/raid/jira_bot endpoint.
  2. The attacker crafts a malicious request including an attachments parameter containing a URL pointing to a sensitive internal resource, such as the cloud metadata endpoint (http://169.254.169.254/).
  3. The LandbotIssueRequestSerializer.attachments component processes the request without proper URL validation.
  4. The httpx.get() function fetches the content from the attacker-specified URL.
  5. The response from the metadata endpoint (containing AWS credentials) is retrieved by the FireFighter server.
  6. The RaidJiraClient.add_attachments_to_issue function attaches the metadata response to a new Jira ticket.
  7. The attacker retrieves the Jira ticket, extracting the attached file containing the stolen AWS credentials.
  8. The attacker uses the stolen AWS credentials to gain unauthorized access to the compromised cloud environment.

Impact

Successful exploitation of this SSRF vulnerability can lead to the theft of AWS IAM credentials in environments that do not enforce IMDSv2. This allows an attacker to gain unauthorized access to cloud resources, potentially leading to data breaches, service disruption, or other malicious activities. The number of affected deployments is currently unknown, but any FireFighter instance prior to version 0.0.54 is susceptible. Organizations using FireFighter for incident management are urged to upgrade immediately.

Recommendation

  • Upgrade FireFighter to version 0.0.54 or later to patch the SSRF vulnerability.
  • Block access to the /api/v2/firefighter/raid/jira_bot endpoint from untrusted networks as a temporary workaround, as mentioned in the advisory.
  • Implement IMDSv2 with HttpPutResponseHopLimit=1 on EC2/EKS nodes to mitigate the risk of IAM credential theft, as suggested in the advisory.
  • Monitor network connections originating from the FireFighter server, specifically looking for outbound connections to the cloud metadata endpoint (169.254.169.254) using network connection logs.
]]>criticaladvisoryssrfcloudiamcredential-theft