Owncast, EaseProbe security vulnerabilities revealed
Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go.
Owncast vulnerability (CVE-2023-3188)
The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go. CVE-2023-3188, labeled as an Unauthenticated Blind Server-Side Request Forgery (SSRF), could potentially allow unauthenticated attackers to exploit the Owncast server by forcing the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows the attacker to send the requests while specifying arbitrary URL paths and query parameters.
This vulnerability has a high CNA CVSS severity rating of 8.3/10.
The vulnerable code resides within the GetWebfingerLinks function of Owncast, specifically in the following location. As per the code analysis, user-controlled input passed through the “account” parameter is parsed as a URL, and subsequently, an HTTP request is issued to the specified host on line 32.
To address this critical SSRF vulnerability, Oxeye Security recommends the following remediation steps:
- Prohibit the HTTP client utilized by Owncast from following HTTP redirections to mitigate the potential exploitation of SSRF attacks.
- Implement restrictions to allow only authenticated users to trigger the vulnerable endpoint, thereby minimizing the risk of unauthorized access.
EaseProbe vulnerability (CVE-2023-33967)
Oxeye has also discovered multiple SQL-injection vulnerabilities in EaseProbe, a lightweight and standalone health/status-checking tool written in Go. The vulnerabilities, categorized as Config-Based SQL-Injection, expose potential security risks for users of EaseProbe with a Critical NIST CVSS Security Score of 9.8/10.
These vulnerabilities can be exploited by attackers who control the EaseProbe configuration, enabling them to read, delete, or modify all information stored in the databases configured for health checking. In certain circumstances, depending on the user privileges and the database engine, the attacker may also execute arbitrary system commands on the server hosting the database. The vulnerable code is within the MySQL and Postgres database client code of EaseProbe.
By analyzing the EaseProbe configuration file, researchers demonstrated a practical exploitation scenario on a Postgres database. The attacker injects a malicious command “ls” to execute arbitrary system commands. The vulnerable database query is unsafely formatted with user-provided data, leading to the successful execution of the injected command.
To mitigate the risks associated with SQL-injection attacks, Oxeye Security recommends the following remediation measures:
- Properly sanitize all user input to prevent SQL-injection vulnerabilities. This can be achieved by implementing techniques such as prepared statements and parameterized queries, which treat user-provided input as values instead of executable code. If injection occurs in a query part that cannot be parameterized, strictly validate user input, considering the use of regular expressions or other appropriate methods.
- Ensure the application is regularly updated and patched to address any known vulnerabilities, as this can effectively mitigate the risk of exploitation.
This problem has been fixed in EaseProbe v2.1.0.