{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/edx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["edx-enterprise"],"_cs_severities":["high"],"_cs_tags":["ssrf","saml","edx-enterprise"],"_cs_type":"advisory","_cs_vendors":["edX"],"content_html":"\u003cp\u003eThe \u003ccode\u003esync_provider_data\u003c/code\u003e endpoint in \u003ccode\u003eedx-enterprise\u003c/code\u003e is susceptible to a server-side request forgery (SSRF) vulnerability. An authenticated user with the Enterprise Admin role can set the \u003ccode\u003emetadata_source\u003c/code\u003e field in \u003ccode\u003eSAMLProviderConfig\u003c/code\u003e to an arbitrary URL via the \u003ccode\u003eSAMLProviderConfigViewSet\u003c/code\u003e PATCH endpoint. Subsequently, calling the \u003ccode\u003esync_provider_data\u003c/code\u003e endpoint triggers a server-side HTTP request to the specified URL. The \u003ccode\u003efetch_metadata_xml()\u003c/code\u003e function, responsible for fetching the metadata, lacks proper validation, including HTTPS enforcement, IP filtering, and request timeouts, leading to the vulnerability. This issue affects \u003ccode\u003eedx-enterprise\u003c/code\u003e versions 7.0.2 through 7.0.4 and was introduced when SAML admin viewsets were migrated from \u003ccode\u003eopenedx-platform\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the edx-enterprise instance as an Enterprise Admin.\u003c/li\u003e\n\u003cli\u003eAttacker sends a PATCH request to the \u003ccode\u003eSAMLProviderConfigViewSet\u003c/code\u003e to modify the \u003ccode\u003emetadata_source\u003c/code\u003e to a malicious URL (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server stores the malicious URL in the \u003ccode\u003eSAMLProviderConfig.metadata_source\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to the \u003ccode\u003esync_provider_data\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esync_provider_data\u003c/code\u003e function retrieves the \u003ccode\u003emetadata_source\u003c/code\u003e URL from the \u003ccode\u003eSAMLProviderConfig\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch_metadata_xml\u003c/code\u003e function is called with the malicious URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efetch_metadata_xml\u003c/code\u003e uses \u003ccode\u003erequests.get()\u003c/code\u003e to make an HTTP request to the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe server attempts to parse the (likely invalid) XML response. Even if parsing fails, the attacker has successfully triggered an SSRF.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an Enterprise Admin to perform several malicious actions: steal cloud credentials by accessing instance metadata services (AWS, GCP, Azure), scan internal networks by probing hosts and ports behind the firewall, and access internal APIs not exposed to the internet. This can lead to full compromise of the cloud infrastructure and sensitive data exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended patch by upgrading \u003ccode\u003eedx-enterprise\u003c/code\u003e to a version outside the range of \u0026gt;= 7.0.2, \u0026lt;= 7.0.4 to remediate CVE-2026-42860.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering at the network level to block outbound connections from the Open edX server to \u003ccode\u003e169.254.0.0/16\u003c/code\u003e and RFC 1918 ranges as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Outbound Connection to AWS Metadata Endpoint\u0026rdquo; to monitor for connections to the AWS metadata service from the edx-enterprise server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-edx-enterprise-ssrf/","summary":"edx-enterprise versions 7.0.2 through 7.0.4 are vulnerable to server-side request forgery (SSRF) via a SAML metadata URL in the `sync_provider_data` endpoint, allowing an authenticated Enterprise Admin to trigger arbitrary HTTP requests from the server.","title":"edx-enterprise SAML Metadata SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-edx-enterprise-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — EdX","version":"https://jsonfeed.org/version/1.1"}