Talos Vulnerability Report

TALOS-2024-1962

GoCast HTTP API lack of authentication vulnerability

November 21, 2024
CVE Number

CVE-2024-21855

SUMMARY

A lack of authentication vulnerability exists in the HTTP API functionality of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

GoCast 1.1.3

PRODUCT URLS

GoCast - https://github.com/mayuresh82/gocast

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

DETAILS

Gocast does BGP route advertisements from a host using GoBGP.

The GoCast service provides a powerful HTTP API that allows the registration and unregistration of apps without supporting the requirement of authentication. Additionally the example configuration file provided enables this API by default.

The API offers some limited information about the status of the service as well as full creation or removal of applications without limitations of how they can be configured. As the only feature of the service is the creation and monitoring of these apps, this unprotected API allows full control over the service.

The registration of apps allows an attacker to abuse the BGP functionality of GoCast, create new NAT firewall rules, and choose network connections or arbitrary scripts to run on a regular basis as part of the app’s monitoring.

The monitor paramater in particular allows an attacker to execute arbitrary commands as the code will simply execute what is passed in to the monitor parameter.

func execMonitor(cmd string) bool {
	out := exec.Command("bash", "-c", cmd)

Mitigation

Users of GoCast should disable the HTTP API or put it behind authentication using a reverse proxy if it can’t be.

GoCast should provide a means to configure authentication on the API, disable the API by default, and better document the sensitivity of the API when used in production environments.

TIMELINE

2024-04-02 - Initial Vendor Contact
2024-04-23 - Initial Vendor Contact - Second try
2024-04-25 - Vendor Disclosure
2024-05-27 - Status request sent to vendor
2024-05-27 - Vendor reply. Patch is upcoming
2024-06-24 - Status request sent to vendor
2024-07-02 - Status request sent to vendor
2024-11-13 - Impending release announcement sent to vendor
2024-11-21 - Public Release

Credit

Discovered by Edwin Molenaar and Matt Street of Cisco Meraki.

TALOS-2024-1961

TALOS-2024-1953