Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an insertDocument API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.
Patches
An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses.
Patch on BigBlueButton 2.6.9: #18045
Patch on BigBlueButton 2.5.18 #18052
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
We received two independent reports about the same vulnerability vector.
-
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
-
We thank Germany‘s Federal Office for Information Security ( bsi.bund.de ) who contacted us and responsibly disclosed this vulnerability. This finding is a result of a project part of their Information Security initiative.
Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an
insertDocumentAPI request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.Patches
An update to the
followRedirectmethod in thePresentationUrlDownloadServicehas been made to validate all URLs to be used for presentation download. Two new propertiespresentationDownloadSupportedProtocolsandpresentationDownloadBlockedHostshave also been added tobigbluebutton.propertiesto allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed toinsertDocumentmust conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses.Patch on BigBlueButton 2.6.9: #18045
Patch on BigBlueButton 2.5.18 #18052
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
We received two independent reports about the same vulnerability vector.
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
We thank Germany‘s Federal Office for Information Security ( bsi.bund.de ) who contacted us and responsibly disclosed this vulnerability. This finding is a result of a project part of their Information Security initiative.