NSA workflow application Emissary vulnerable to malicious takeover

Adam Bannister 07 April 2021 at 14:28 UTC
Updated: 07 April 2021 at 15:16 UTC

Users urged to update their systems after disclosure of serious vulnerabilities

Emissary NSA software vulnerable to security exploits

Emissary, an open source, peer-to-peer (P2P) workflow engine developed by the US National Security Agency (NSA), contains vulnerabilities that attackers could chain to take over Emissary instances.

Users have been urged to update their systems after the discovery of five security flaws in the Java web application, which runs in a multi-tiered P2P network of computer resources.

In a blog post published on Monday (April 5), security researchers from Swiss infosec outfit SonarSource demonstrated how an attacker could mount a cross-site request forgery (CSRF) attack against a logged-in user to exploit a code injection vulnerability and achieve remote code execution (RCE).

Read more of the latest open source security news

They also combined arbitrary file disclosure and reflected cross-site scripting (XSS) flaws to read arbitrary files from the Emissary server.

Once the XSS payload is executed in the victim’s browser, the file disclosure vulnerability could be exploited to read administrator credentials and relay them to an attacker-controlled server – resulting in a “quick and easy” server compromise demonstrated in the video below:

[embedded content]

XSS and arbitrary file disclosure

The Emissary XSS flaw was found in a error response message generated when a requested document was not found, resulting in user input being reflected without output encoding.

An attacker could therefore craft a malicious link that, if clicked by an authenticated victim, passes a payload that executes JavaScript in the browser, explained SonarSource researcher Dennis Brinkrolf.

RELATED NSA advises US security supply chain on replacing deprecated encryption protocols

The file disclosure flaw was found in a feature showing configuration files. The user-controlled HTTP variable was received from the query string, and the variable was not sanitized and could contain any file path.

A path traversal attack that injects character sequences such as would therefore enable a malicious user to access authentication files on Emissary’s HTTP Digest Authentication function, which by default has administrator credentials for only a single user.

Remote takeover

Found in a console feature used to evaluate Ruby code, the code injection bug arises from the absence of CSRF tokens.

Brinkrolf demonstrated how if the user-controlled post parameter mirrors the string eval then an attacker-controlled post variable, , is received and passed to the function from the class.

The vulnerable function then receives a Ruby expression as the first parameter controllable by an attacker, who can therefore execute arbitrary Ruby code through the browser of a logged-in administrator.

SonarSource researchers also discovered authenticated file delete and file upload vulnerabilities.

Disclosure timeline

The vulnerabilities were found in Emissary version 5.9.0.

The researchers initiated contact with Emissary’s maintainers on September 24, 2020, and sent them an advisory on October 16. Version 5.11.0, which addressed the RCE issue, was then issued on December 15.

After being notified of the remaining vulnerabilities on January 7, Emissary maintainers then released version 6.1 on March 2.

However, on March 5 SonarSource informed maintainers that the CSRF and path traversal problems remained unpatched.

The Daily Swig has asked the maintainers about a timeline for final patches – we will update this article if and when we hear back.

RELATED LocalStack zero-day vulnerabilities chained to achieve remote takeover of local instances

Source

Next Post

Twitch Will Act on ‘Serious’ Offenses That Happen Off-Stream

Wed Apr 7 , 2021
Twitch is finally coming to terms with its responsibility as a king-making microcelebrity machine, not just a service or a platform. Today, the Amazon-owned company announced a formal and public policy for investigating streamers’ serious indiscretions in real life, or on services like Discord or Twitter. Last June, dozens of […]