SB2021060709 - Remote code execution in Emissary

Description

This security bulletin contains information about 2 vulnerabilities.

1) Code Injection (CVE-ID: CVE-2021-32647)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the CreatePlace REST endpoint. A remote administrator can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-32639)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in RegisterPeerAction and AddChildDirectoryAction endpoints when handling crafted POST requests. A remote privileged user can send a specially crafted request to disclose sensitive information.

Some forged requests are sent to attacker-controlled hosts, including authenticated requests to the /emissary/RegisterPeer.action endpoint and non-authenticated requests to the /emissary/Heartbeat.action endpoint.

Remediation

Install update from vendor's website.

References

• https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-ph73-7v9r-wg32
• https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36
• https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
• https://github.com/advisories/GHSA-2p8j-2rf3-h4xr