zum Inhalt springen
Contact
back to overview print

Open redirection in Peering Manager allows an attacker to redirect users to arbitrary websites

Open Source

NTCF:
NTCF-2023-19500

CVE:
CVE-2024-28113

Product:
Peering Manager

Vendor:
Peering Manager

Criticality:
low

Status:
fixed

Discovered:
2023-12-12

Detail:
Public

Vulnerable version:
<=1.8.2

Fixed version:
1.8.3

Summary

Peering Manager is a BGP session management tool. Versions <=1.8.2 of Peering Manager are vulnerable to an open redirection using the return_url URL parameter.  This allows adversaries to redirect users to an arbitrary website.

Background

Peering Manager is an open-source BGP session management solution built with Python and the Django framework. Designed with features and simplicity in mind, it allows engineers to track, maintain and configure BGP sessions from a centralised management point without the usual tedious manual provisioning task.

The NTC discovered that Peering Manager is used by various Swiss internet service providers and started testing it as part of our mission to improve cyber security for the Swiss society.

Vulnerability

Before version 1.3.8, Peering Manager used a simple validation logic for redirect URLs as shown in the code snippet below (Source: https://github.com/peering-manager/peering-manager/blob/7b7a16e165088e5fd2e95bc45fc6b5e7382f3e4b/utils/views.py#L42).

def get_return_url(self, request, instance=None):
    # Check if `return_url` was specified as a query parameter or form
    # data, use this URL only if it's safe
    return_url = request.GET.get("return_url") or request.POST.get("return_url")

    if return_url and return_url.startswith("/"):
        return return_url

    # Check if the object being modified (if any) has an absolute URL
    if (
        instance is not None
        and instance.pk
         and hasattr(instance, "get_absolute_url")
    ):
       return instance.get_absolute_url()

    [...]

The intension behind the highlighted check for a forward slash (/) is to ensure that only a Peering Manager internal route gets forwarded as-is.

The proof of concept below gives an example how this check can be used to redirect to arbitrary websites.

Proof of Concept

  1. Open the following URL: http://[ip]:[port]/autonomous-systems/1/edit/?return_url=//google.com. For this example, an ASN with the ID 1 is needed, but the same method works on other forms as well.
    The double slash before google.com is used to meet the check describe above.
  2. Save the form or close it.
  3. (Redirect to google.com happens.)

Remediation

The URL validation was corrected in the commits 49dc5593184d7740d81e57dbbe3f971d2969dfac and b74da036b1fba50b4fe8e8e47bca2bb5799c7ee2.

Patches

This issue has been fixed in version 1.8.3. It is recommended that all users of Peering Manager update to the latest version. There are no known workarounds for this vulnerability.

 

Timeline

2023-12-12: initial discovery

2023-12-18: first contact to vendor

2024-01-23: private disclosure to vendor

2024-01-23: confirmation by the maintainer and fix for the reported issue

2024-01-29: Additional bypass found and reported by the NTC

2024-01-30: fix by vendor

2024-02-03: version 1.8.3 released containing the fix

2024-03-12: CVE and adviory published by vendor

2024-06-25: public disclosure