CVE-2023-37265
published 2023-07-17CVE-2023-37265: CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root`…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.36%
92.8th percentile
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | icewhaletech_casaos-gateway | >= 0 < 0.4.4 | 0.4.4 |
| icewhale | casaos | < 0.4.4 | 0.4.4 |
| icewhale | casaos | — | — |
| icewhale | casaos-gateway | < 0.4.4 | 0.4.4 |
| icewhale | casaos-gateway | — | — |
| icewhaletech | casaos-gateway | < 0.4.4 | 0.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /v1/folder?path=%2F with X-Forwarded-For: 127.0.0.1 header spoofing internal IP; a successful response contains '"success":200', '"message":"ok"', 'content', and 'is_dir' — indicating authentication bypass via IP spoofing. ↗
- →CasaOS instances can be fingerprinted via Shodan/FOFA by searching for the path '/CasaOS-UI/public/index.html' or '/casaos-ui/public/index.html' in HTTP response bodies. ↗
- →The vulnerability exploits missing IP address verification; attackers spoof a loopback/internal IP via X-Forwarded-For to bypass authentication and execute arbitrary commands as root. ↗
- →The extractor retrieves filesystem paths from the API response at .data.content[].path, confirming successful root-level directory traversal post-bypass. ↗
- ·The authentication bypass only works against CasaOS versions strictly below 0.4.4; the fix was introduced in commit 391dd7f (CasaOS-Gateway) and shipped in 0.4.4. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway
osv·2024-08-20
CVE-2023-37265 CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway
CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway
CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway
OSV
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
osv·2023-07-17
CVE-2023-37265 [CRITICAL] CasaOS Gateway vulnerable to incorrect identification of source IP addresses
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
### Impact
Unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.
### Patches
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
### Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
### References
- 391dd7f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
GHSA
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
ghsa·2023-07-17
CVE-2023-37265 [CRITICAL] CWE-306 CasaOS Gateway vulnerable to incorrect identification of source IP addresses
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
### Impact
Unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.
### Patches
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
### Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
### References
- 391dd7f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
No detection rules found.
Nuclei
CasaOS < 0.4.4 - Authentication Bypass via Internal IP
nuclei·CVSS 9.8
CVE-2023-37265 [CRITICAL] CasaOS < 0.4.4 - Authentication Bypass via Internal IP
CasaOS < 0.4.4 - Authentication Bypass via Internal IP
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Template:
id: CVE-2023-37265
info:
name: CasaOS < 0.4.4 - Authentication Bypass via Internal IP
author: iamnoooob,DhiyaneshDK,pdresearch
severity: critical
description: |
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthe
No writeups or analysis indexed.
https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6ghttps://www.sonarsource.com/blog/security-vulnerabilities-in-casaoshttps://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g
2023-07-17
Published