Skip to content

Unauthorized Sensitive Data Leak in ZimaOS (Installed Applications and System Information)

High
LinkLeong published GHSA-hg2h-q5h6-r5c4 Oct 24, 2024

Package

https://github.com/IceWhaleTech/ZimaOS (ZimaOS)

Affected versions

≤v1.2.4

Patched versions

1.2.5

Description

Summary

The API endpoints in ZimaOS, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information.

Details

ZimaOS exposes sensitive system details and application lists via unauthenticated API endpoints. Attackers can access files like app_order.json and system.json, revealing information about installed applications and the system setup, making it easier to craft targeted attacks.

PoC

  1. Send a GET request to the following endpoints:
  • GET http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json
  • GET http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json

No authentication or authorization is required.

  1. Example responses:

For app_order.json:

{
  "installed_apps": ["app1", "app2", "app3"],
  "order": [1, 2, 3]
}

For system.json:

{
  "os_version": "ZimaOS v1.0",
  "hostname": "localhost",
  "cpu_info": "Intel(R) Core(TM) i7",
  "memory": "16GB"
}

YouTube Video PoC

Unlisted YouTube PoC Link

Impact

  1. Sensitive Information Disclosure: Attackers can gather detailed system information, including installed applications and system setup.
  2. System Profiling: The information disclosed can assist attackers in identifying potential vulnerabilities specific to the system's configuration.
  3. Targeted Exploits: With knowledge of installed applications and system details, attackers can craft more targeted attacks, increasing the risk of exploitation.

Recommendation

  1. Authentication and Authorization: Implement proper access controls requiring authentication and authorization to access sensitive files like app_order.json and system.json.
  2. Restrict Public Access: Ensure sensitive paths are not accessible publicly without proper authorization.
  3. Monitoring and Rate-Limiting: Monitor API requests to sensitive endpoints and implement rate-limiting to prevent automated data collection by malicious actors.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-49357

Weaknesses

Credits