Description
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.
EPSS Score:
1%
Comprehensive Technical Analysis of EUVD-2024-29115
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description: The vulnerability in Webhood's backend container images (versions 0.9.0 and earlier) allows an unauthenticated attacker to create an admin account via the Pocketbase admin API. This is due to a Missing Authentication for Critical Function vulnerability, where the API does not check for authentication/authorization when creating an admin account if no admin accounts exist.
Severity Evaluation:
- CVSS Base Score: 9.8
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The high base score indicates a critical vulnerability. The attack vector (AV:N) is network-based, requiring low complexity (AC:L) and no privileges (PR:N) or user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Network-Based Attack: An attacker can send an HTTP request to the Pocketbase admin API to create an admin account.
- Unauthenticated Access: The vulnerability allows unauthenticated access to the admin API, making it easier to exploit.
Exploitation Methods:
- Admin Account Creation: An attacker can send a crafted HTTP request to the
/api/adminsendpoint to create an admin account. - Privilege Escalation: Once an admin account is created, the attacker can gain full control over the database and potentially the entire Webhood deployment.
3. Affected Systems and Software Versions
Affected Versions:
- Webhood backend container images versions 0.9.0 and earlier.
Patched Versions:
- Webhood versions starting from 0.9.1.
Deployment Scenarios:
- Default deployments of Webhood where no admin accounts have been manually created.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Disable Access to Vulnerable Endpoint: Users can disable access to the URL path starting with
/api/adminsto prevent unauthorized admin account creation.
Long-Term Mitigation:
- Upgrade to Patched Version: Upgrade to Webhood version 0.9.1 or later, which includes a patch that creates a randomly generated admin account if none exist.
- Manual Admin Account Creation: Ensure that an admin account is manually created during the initial setup to mitigate the vulnerability.
Additional Security Measures:
- Network Segmentation: Implement network segmentation to limit access to the Pocketbase admin API.
- Monitoring and Logging: Enable comprehensive logging and monitoring to detect and respond to any unauthorized access attempts.
5. Impact on European Cybersecurity Landscape
Potential Impact:
- Widespread Adoption: Given the popularity of Webhood for analyzing phishing and malicious sites, this vulnerability could affect numerous organizations across Europe.
- Data Breaches: Unauthorized admin account creation could lead to data breaches, loss of sensitive information, and potential disruption of services.
- Reputation Damage: Organizations relying on Webhood for security analysis could suffer reputational damage if the vulnerability is exploited.
Regulatory Compliance:
- GDPR Compliance: Organizations must ensure that they comply with GDPR regulations by protecting personal data and reporting any breaches promptly.
- Cybersecurity Directives: Adherence to EU cybersecurity directives and guidelines is crucial to maintain a robust security posture.
6. Technical Details for Security Professionals
Vulnerability Details:
- CVE ID: CVE-2024-31218
- GSD ID: GSD-2024-31218
- Assigner: GitHub_M
References:
Technical Mitigation Steps:
-
Disable Vulnerable Endpoint:
# Example command to disable access to /api/admins sudo ufw deny proto tcp from any to any port 8080 -
Upgrade Webhood:
# Example command to upgrade Webhood docker pull webhood-io/webhood:0.9.1 -
Manual Admin Account Creation:
# Example command to create an admin account docker exec -it webhood_container pocketbase admin create --email admin@example.com --password securepassword
Conclusion: The vulnerability in Webhood's backend container images is critical and requires immediate attention. Organizations should prioritize upgrading to the patched version and implementing the recommended mitigation strategies to protect their deployments. Continuous monitoring and adherence to cybersecurity best practices are essential to safeguard against such vulnerabilities.