Open Source CasaOS Cloud Software Reveals Critical Vulnerabilities

    Two critical security flaws, identified as CVE-2023-37265 and CVE-2023-37266, have been discovered in the open-source CasaOS personal cloud software. These vulnerabilities have a CVSS score of 9.8 out of 10 and can be exploited by attackers to gain arbitrary code execution and take control of vulnerable systems.

    Thomas Chauchefoin, a security researcher from Sonar, who found the flaws, explained that the vulnerabilities bypass authentication requirements and provide full access to the CasaOS dashboard. This raises concerns as CasaOS’ support for third-party apps can be misused to execute arbitrary commands and gain persistent access to devices and internal networks.

    IceWhale, maintainers of CasaOS, released version 0.4.4 on July 14, 2023, in response to the responsible disclosure on July 3, 2023.

    The two vulnerabilities are:

    • CVE-2023-37265 – This flaw allows unauthenticated attackers to execute arbitrary commands as root on CasaOS instances by incorrectly identifying the source IP address.
    • CVE-2023-37265 – Unauthenticated attackers can exploit this vulnerability to craft arbitrary JSON Web Tokens (JWTs) and access authenticated features, resulting in the execution of arbitrary commands as root on CasaOS instances.

    Successful exploitation of these flaws can circumvent authentication restrictions and grant administrative privileges on vulnerable CasaOS instances. Chauchefoin cautioned against relying on IP address identification at the application layer for security decisions, as different headers may carry this information and interpretation nuances can introduce security vulnerabilities.

    Latest articles

    Related articles