Teleport’s Security Breach: Centralized System Faces Critical Vulnerabilities
Teleport, a renowned platform offering centralized authentication and auditing for servers and cloud applications, has recently found itself in the cybersecurity spotlight. This platform, however, has multiple vulnerabilities, some of which are deemed ‘Critical‘.
Server-Side Request Forgery (SSRF) Vulnerability
Among the most alarming discoveries is a vulnerability allowing users with lower-level access to launch ‘Server-Side Request Forgery (SSRF)’ attacks across any host through proxies or agents. This flaw, marked under the identifier ‘GHSA-hw4x-mcx5-9q36‘ on GitHub, leads to potential unauthorized data access and manipulation.
An authenticated attacker, armed with valid credentials, can exploit this SSRF vulnerability non-blindly via the proxy and/or agents to target arbitrary hosts. During an in-depth investigation, it was found that several permutations of this SSRF vulnerability exist. While most have been addressed in the latest release, one remains: a root proxy administrator with access to root proxy credentials can still make requests through leaf proxies in Trusted Clusters. This revelation is particularly troubling for Teleport users operating in Trusted Cluster configurations, urging immediate implementation of network restrictions to mitigate this risk.
Privilege Escalation Vulnerability
Another critical vulnerability, identified as ‘GHSA-76cc-p55w-63g3‘, was found in Teleport’s version 14 access list feature. This newly introduced feature, still in its preview phase, was found to be susceptible to privilege escalation. It enables an Access List Owner to assign arbitrary permissions, including elevating their access rights, a classic tale of the guard becoming the thief.
High Severity Vulnerabilities: SFTP and macOS Agents
Adding to the woes, two ‘High’ severity vulnerabilities were also unearthed. One, tagged as ‘GHSA-c9v7-wmwj-vf6x‘, facilitates connections via ‘SFTP’ to nodes within the cluster. The other, ‘GHSA-vfxf-76hv-v4w4‘, is a chameleon in the macOS agents, allowing the execution of unexpected code due to user-specified environmental variables. These vulnerabilities, though less severe than their ‘Critical’ counterparts, pose a significant threat to the integrity of the system.
Patching the Breach
In response to these security challenges, Teleport has released updated versions – 14.2.4, 13.4.13, and 12.4.31 – to address these vulnerabilities. Further strengthening the defense, versions 14.3.0, 13.4.14, and 12.4.32 have also been rolled out, incorporating these essential fixes.