{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/event-interception/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rustfs"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","ssrf","event-interception"],"_cs_type":"advisory","_cs_vendors":["rustfs"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability exists in RustFS versions 0.0.2 and earlier, specifically within the notification target admin API endpoints (\u003ccode\u003erustfs/src/admin/handlers/event.rs\u003c/code\u003e). These endpoints lack proper admin-action authorization, failing to call \u003ccode\u003evalidate_admin_request\u003c/code\u003e. This oversight allows a non-admin user to overwrite admin-defined notification targets by name. Successful exploitation enables attackers to intercept events intended for legitimate administrators and evade audit logs. The attacker gains the ability to redirect bucket events to an attacker-controlled endpoint, potentially exfiltrating sensitive information like object keys, bucket names, user identities, and request metadata. This issue was patched in RustFS version 1.0.0-alpha.94.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a RustFS account with non-admin (readonly) privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PUT request to one of the notification target admin API endpoints (e.g., to create or update a notification target).\u003c/li\u003e\n\u003cli\u003eThe request bypasses the intended admin authorization checks due to the missing \u003ccode\u003evalidate_admin_request\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an existing, admin-defined notification target, replacing the legitimate endpoint with an attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eAn S3 bucket event (e.g., object creation) occurs, triggering the notification system.\u003c/li\u003e\n\u003cli\u003eRustFS sends an HTTP request containing event data to the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the exfiltrated event data, including object keys, bucket names, user identities, and request metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker can also delete unbound targets or silently redirect events from bound targets, further evading audit detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to intercept sensitive data related to bucket events, potentially leading to data breaches and unauthorized access to resources. The vulnerability affects RustFS instances where non-admin users have access to the system, enabling them to manipulate notification targets intended for administrative purposes. The attacker can redirect events to an external endpoint, exposing potentially thousands of events containing sensitive information. The ability to overwrite existing notification targets allows for a persistent compromise until the vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade RustFS to version 1.0.0-alpha.94 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect RustFS Notification Target Manipulation\u0026rdquo; to identify attempts to modify notification targets via the admin API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (cs-uri-query, cs-method) for unusual activity related to the notification target admin API endpoints to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit non-admin user access to sensitive API endpoints and resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rustfs-admin-auth-bypass/","summary":"A vulnerability in RustFS allows a non-admin user to overwrite a shared admin-defined notification target, leading to event interception and audit evasion due to missing admin-action authorization on notification target admin API endpoints.","title":"RustFS Notification Target Admin API Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-rustfs-admin-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Event-Interception","version":"https://jsonfeed.org/version/1.1"}