CVE-2024-29224
An OS command injection vulnerability exists in the NAT parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GoCast 1.1.3
GoCast - https://github.com/mayuresh82/gocast
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Gocast does BGP route advertisements from a host using GoBGP.
In GoCast an injection was found when the nat value of an app is used to create or remove a firewall rule. This injection has been demonstrated using the HTTP API, but could also be exploitable when the App is defined through the config file or if added due to Consul integration. Due to a lack of authentication, the HTTP API should be disabled in most environments or configured to only go through a proxy that adds authentication, but it should be noted that this API is enabled in the default config file.
The nat string triggers an injection in system.go:natRule when it is split into protocol, lport, and dport and then they are passed into the command string. Any of those three parts can trigger the injection.
func natRule(op string, vip, localAddr net.IP, protocol, lport, dport string) error {
cmd := fmt.Sprintf(
"iptables -t nat -%s PREROUTING -p %s -d %s --dport %s -j DNAT --to-destination %s:%s",
op, protocol, vip.String(), lport, localAddr.String(), dport,
)
cmdList := getCmdList(cmd)
Users of GoCast should disable the HTTP API or put it behind authentication if it can’t be. Disable Consul integration if possible. Check that the file permissions for the configuration file prevent users other than root and the GoCast user from modifying the file.
There are many ways to prevent command injections. Ideally this function would be safe regardless of how it is called. A simple fix would be for the natRule function to restrict protocol to only be “tcp” or “udp” and to convert the two port numbers to integers before inserting into the command string.
2024-04-02 - Initial Vendor Contact
2024-04-23 - Initial Vendor Contact - Second try
2024-04-25 - Vendor Disclosure
2024-05-27 - Status request sent to vendor
2024-05-27 - Vendor reply. Patch is upcoming
2024-06-24 - Status request sent to vendor
2024-07-02 - Status request sent to vendor
2024-11-13 - Impending release announcement sent to vendor
2024-11-21 - Public Release
Discovered by Matt Street and Edwin Molenaar of Cisco Meraki.