Summary

Registry v3.3.0 introduced CO-specific API users, which can be either privileged (having full access to the CO via the API) or unprivileged (having no specific access unless granted). By crafting a specific sequence of API requests, a privileged CO-specific API user can obtain escalated privileges in another CO, including the COmanage CO (and therefore obtaining platform level privileges).

Severity

The severity of this issue is medium, as a privileged API user is required to escalate privileges.

Exposure

The exposure will generally be low, as this advisory only meaningfully affects multi-tenant deployments, and only those that have enabled CO-specific API users.

Recommended Mitigation

Deployments not using the described configuration need not take any action, though should plan an upgrade as soon as plausible in case CO-specific API users are created later.

Deployments using the described configuration should immediately upgrade to Registry v3.3.3, or to develop commit b014a9301a or later.

Deployments may also perform an audit, as described in Discussion, below.

Alternate Mitigations

Deployments may alternately disable any privileged CO-specific API users until an upgrade can be performed.

Discussion

Registry v3.3.0 introduced CO-specific API users, which can be either privileged (having full access to the CO via the API) or unprivileged (having no specific access unless granted). Previously, the REST API was only available to platform-wide superusers.

Certain data validation routines were not correctly updated as part of this new feature, and as a result a carefully crafted series of API calls could allow a CO-specific privileged API user to create elevated access in another CO, including to a platform administrator identity. This condition does not allow an unprivileged API user to elevate to a privileged API user.

To check for exploits, SQL queries can be used to compare the actor_identifier to the CO of the relevant record. For example:

WITH t1 AS (
  SELECT cm_identifiers.id,cm_identifiers.actor_identifier,cm_org_identities.co_id
  FROM cm_identifiers
  INNER JOIN cm_org_identities on cm_identifiers.org_identity_id=cm_org_identities.id
  WHERE cm_identifiers.actor_identifier IN (
    SELECT username
    FROM cm_api_users
    WHERE co_id > 1
    AND privileged = true
  )
), t2 AS (
  SELECT username,co_id
  FROM cm_api_users
  WHERE co_id > 1
  AND privileged = true
)
SELECT * FROM t1
LEFT JOIN t2 on t1.actor_identifier=t2.username
WHERE t1.co_id <> t2.co_id;

Tables to examine include cm_co_group_members, cm_identifiers, and cm_co_person_roles.

References

  • CO-2146


  • No labels