Summary
Any user with the capability manage customizations:
- can execute commands on the underlying infrastructure where OpenCTI is hosted.
- can access internal server side secrets by misusing the web-hooks.
Details
The web-hook feature in OpenCTI allows users to customise messages sent through web-hooks. Provided with a default installation are examples of Microsoft Teams web-hooks. The dynamics of the web-hook is built upon javascript, which a user can enter in a web-hook template field. A malicious user can abuse this to execute commands in the hosting environment on which OpenCTI is executing. A protection layer has been added to guard against using external modules in the javascript code for the web hooks, but these can be bypassed.
A common implementation of OpenCTI is to host it in containers, either directly in docker or in a Kubernetes cluster and in these setups sensitive secrets are passed to the container via environment variables. These environment variables are accessible from the web-hook javascript.
Impact
Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures.
itlabbet Reporter
Summary
Any user with the capability
manage customizations:Details
The web-hook feature in OpenCTI allows users to customise messages sent through web-hooks. Provided with a default installation are examples of Microsoft Teams web-hooks. The dynamics of the web-hook is built upon javascript, which a user can enter in a web-hook template field. A malicious user can abuse this to execute commands in the hosting environment on which OpenCTI is executing. A protection layer has been added to guard against using external modules in the javascript code for the web hooks, but these can be bypassed.
A common implementation of OpenCTI is to host it in containers, either directly in docker or in a Kubernetes cluster and in these setups sensitive secrets are passed to the container via environment variables. These environment variables are accessible from the web-hook javascript.
Impact
Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures.