{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/parse-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Parse Server"],"_cs_severities":["high"],"_cs_tags":["parse-server","denial-of-service","webserver"],"_cs_type":"advisory","_cs_vendors":["Parse Platform"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in Parse Server, specifically affecting versions greater than or equal to 9.0.0 and less than 9.6.0-alpha.52, as well as versions prior to 8.6.58. The vulnerability stems from the server's behavior when handling authentication requests with unconfigured providers. An unauthenticated attacker can exploit this by sending numerous authentication requests with arbitrary, unconfigured provider names. Before rejecting an authentication request with an unconfigured provider, the server attempts to query the database, resulting in a full collection scan due to the absence of a database index for unconfigured providers. This attack can be parallelized to overwhelm database resources, leading to a denial-of-service condition. The fix involves validating the configuration of authentication providers before initiating any database queries, thus preventing the unnecessary full collection scans.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Parse Server instance running a vulnerable version (\u0026gt;= 9.0.0, \u0026lt; 9.6.0-alpha.52, or \u0026lt; 8.6.58).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an authentication request targeting an arbitrary, unconfigured authentication provider. This can be achieved by modifying the provider parameter in the authentication API request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted authentication request to the Parse Server instance's authentication endpoint (e.g., \u003ccode\u003e/parse/users\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpon receiving the request, the Parse Server iterates through the available auth providers. If a provider is not configured, the server attempts to query the database for the existence of this provider.\u003c/li\u003e\n\u003cli\u003eDue to the lack of a database index for unconfigured providers, the database server initiates a full collection scan on the user database for each unconfigured provider in the request.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the server with multiple parallel requests, each targeting a different, unconfigured provider.\u003c/li\u003e\n\u003cli\u003eThe parallel full collection scans overwhelm the database server's resources (CPU, memory, I/O).\u003c/li\u003e\n\u003cli\u003eThe database server becomes unresponsive, leading to a denial-of-service condition affecting the Parse Server and its users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. The Parse Server becomes unavailable to legitimate users as the database resources are saturated. The number of victims and affected sectors depend on the deployment size and user base of the specific Parse Server instance. If the attack succeeds, the application relying on the Parse Server becomes unusable, potentially leading to financial losses, reputational damage, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Parse Server to a patched version (\u0026gt;= 9.6.0-alpha.52 or \u0026gt;= 8.6.58) to remediate the vulnerability as described in the overview and the advisory (\u003ca href=\"https://github.com/advisories/GHSA-g4cf-xj29-wqqr)\"\u003ehttps://github.com/advisories/GHSA-g4cf-xj29-wqqr)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual authentication requests targeting non-existent authentication providers using the rule \u003ccode\u003eParse Server Authentication Request to Unconfigured Provider\u003c/code\u003e. Enable webserver logging to activate this rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the authentication endpoint to mitigate the impact of potential DoS attacks, even after patching. This can be done at the load balancer or web server level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-parse-server-dos/","summary":"An unauthenticated attacker can cause a Denial of Service (DoS) by sending authentication requests with arbitrary, unconfigured provider names, leading to a full collection scan on the user database in vulnerable Parse Server versions.","title":"Parse Server Denial of Service via Unindexed Database Query","url":"https://feed.craftedsignal.io/briefs/2024-01-03-parse-server-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Parse Platform","version":"https://jsonfeed.org/version/1.1"}