October 17, 2023 at 10:51AM
Two critical security flaws have been discovered in the CasaOS personal cloud software. These vulnerabilities allow attackers to bypass authentication and gain full access to the CasaOS dashboard. Additionally, attackers can exploit third-party applications to execute arbitrary commands on the system and gain persistent access. The flaws have been addressed in version 0.4.4 of CasaOS.
Meeting Notes – Oct 17, 2023
Topic: Newsroom Vulnerability / Cyber Threat
– Two critical security flaws discovered in the open-source CasaOS personal cloud software
– The vulnerabilities are tracked as CVE-2023-37265 and CVE-2023-37266
– Both vulnerabilities have a CVSS score of 9.8 out of 10
– Sonar security researcher Thomas Chauchefoin discovered the bugs
– The flaws allow attackers to bypass authentication and gain full access to the CasaOS dashboard
– CasaOS’ support for third-party applications can be exploited to run arbitrary commands and gain persistent access to the system
– The flaws were addressed in version 0.4.4 released by IceWhale on July 14, 2023
– Description of the flaws:
– CVE-2023-37265: Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
– CVE-2023-37266: Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances
– Successful exploitation of the vulnerabilities could allow attackers to bypass authentication restrictions and gain administrative privileges on vulnerable CasaOS instances
– Chauchefoin advises against relying on IP address identification for security decisions
– Follow us on Twitter and LinkedIn for more exclusive content
Please let me know if you need any further information.