Warning: unauthenticated remote code execution (RCE) vulnerabilities on Strapi servers, patch immediately!

Reference:
Advisory #2023-44

Version:
1.0

Affected software:
All Strapi servers running a version prior to v4.5.5

Type:
Unauthenticated Remote Code Execution

CVE/CVSS:
CVE-2023-22894, CVSS 9.8: AV: N/AC: L/PR: N/UI: N/S:U/C:H/I:H/A:H
CVE-2023-22621, CVSS 10: AV: N/AC: L/PR: N/UI:N/S:C/C:H/I:H/A:H

Sources

https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve?utm_campaign=ProductMarketing-StrapiBlog&utm_source=devto&utm_medium=blog

Risks

Strapi is a headless CMS that is used to develop websites, mobile applications, eCommerce sites, and APIs. It allows organisations to create an API for the backend or databases without technical knowledge. The system builds APIs based on content models automatically.

By successfully exploiting both CVE-2023-22621 and CVE-2023-22894, an unauthenticated remote attacker can exploit and hijack a super admin account via the admin panel and use that account to modify the users-permissions template, which makes it possible to execute arbitrary code on vulnerable Strapi servers.

When both vulnerabilities are successfully exploited it has a high impact on Confidentiality, Integrity, and availability.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

CVE-2023-22894 leaks sensitive user information by filtering on private fields from a query.

CVE-2023-22621 is a server-side template injection vulnerability impacting Strapi’s users-permission plugin’s email template system.

CVE-2023-22894 and CVE-2023-22621 can be chained together in an automated script to hijack Super Admin Users via the admin panel and then execute code as an unauthenticated user on all Strapi servers running versions prior to 4.5.5.

To be successfully exploited, an attacker must first exploit CVE-2023-22894 to obtain a new password for a super administrator account and grab the API token for the admin API.
 

Recommended Actions

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity.

Recommended method to detect exploitation

You can detect indicators of compromise (IoC) on your systems by following the procedures below.

Detecting exploitation of CVE-2023-22621

1. Look if a Strapi email template was modified on your server using the request log files by searching for a PUT request to URL path /users-permissions/email-templates
2. If detected, manually review email templates on your Strapi server and backups of your database to see if any of the templates contain a lodash template delimiter that contains suspicious JavaScript code. Unrecognized code should be considered suspicious. Look for odd code within the template delimiter code blocks as this is what is used to bypass the lodash templating system. Odd code could for instance be any code that is not a variable name, or a variable name that is not defined in the template.
3. If you find this, immediately check if there are no malicious applications running on your servers.

Detecting exploitation of CVE-2023-22894

1. Search log files for the payload, which is within the GET parameters normally included in request logs by using grep -iE '(\[|%5B)\s*(email|password|reset_password_token|resetPasswordToken)\s*(\]|%5D)' $PATH_TO_LOG_FILE
2. If this regex pattern matches lines in the log files, look out for multiple requests that include  password, reset_password_token or resetPasswordToken. This would indicate that an attacker has leaked password hashes and reset tokens on the Strapi server.

If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.