MindsDB Fixes Critical CVE-2024-24759: DNS Rebinding Attack Bypasses Security Protections

by do son · September 7, 2024

MindsDB, the widely-used open-source platform for building AI applications, has patched a severe security vulnerability that could allow attackers to bypass security measures and launch a variety of attacks. The vulnerability, tracked as CVE-2024-24759 with a CVSS score of 9.3 (critical), involves a bypass of Server-Side Request Forgery (SSRF) protection using DNS rebinding, a technique that manipulates domain name resolution.

The flaw allows attackers to bypass SSRF protection, a crucial security measure that prevents malicious requests from being sent from a server on behalf of a user. This bypass could potentially enable attackers to access sensitive data, execute arbitrary code, or even launch denial-of-service attacks.

DNS rebinding is a sophisticated attack technique where the initial DNS query resolves to a public IP address, while subsequent queries are redirected to a private IP address. For example, a domain like make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms could first resolve to 190.119.176.200 (a public address) and then to 127.0.0.1 (a private address) in subsequent DNS lookups. This manipulation allows attackers to direct traffic to internal systems, bypassing protections meant to prevent unauthorized access.

def is_private_url(url: str):
    """
    Raises exception if url is private

    :param url: url to check
    """

    hostname = urlparse(url).hostname
    if not hostname:
        # Unable to find hostname in url
        return True
    ip = socket.gethostbyname(hostname)
    return ipaddress.ip_address(ip).is_private

The latest codebase

In the case of CVE-2024-24759, the SSRF protection within MindsDB can be bypassed due to this rebinding technique. When the vulnerable is_private_url() function issues a DNS query, the first request resolves to a public IP address, but thanks to DNS rebinding, the next GET request can access internal resources, exposing sensitive data or leading to potential service disruption.

Security researcher Sim4n6, who discovered the vulnerability, has also published a proof-of-concept exploit code, further emphasizing the urgency of patching the vulnerability. The exploit demonstrates how attackers can leverage DNS rebinding to circumvent MindsDB’s SSRF protection.

All versions of MindsDB prior to v23.12.4.2 are vulnerable to this exploit. The MindsDB development team has since released a patch in v23.12.4.3, which addresses the vulnerability by implementing stronger DNS validation measures to prevent rebinding attacks. Users are strongly advised to upgrade to this patched version immediately to protect their systems from exploitation.