CVE-2022-24112

Description

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Add Assessment

noraj (102)

March 09, 2022 8:03pm UTC (2 years ago)•Edited 1 year ago

Ratings

Attacker Value

High

Exploitability

Low

Gives privileged access Unauthenticated Vulnerable in default configuration Difficult to weaponize

Technical Analysis

IP restriction bypass via X-REAL-IP HTTP header then SSRF and RCE on admin route with LUA code executed via scripts

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apache

Products

apisix

Metasploit Modules

exploit/multi/http/apache_apisix_api_default_token_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a)
Threat Feed (https://viz.greynoise.io/query/?gnql=apache-apisix-rce-attempt)
News Article or Blog (https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/)

Reported: June 15, 2022 7:44pm UTC (2 years ago) • Edited 1 year ago

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: August 25, 2022 7:42pm UTC (2 years ago)

ccondon-r7 indicated source as Other: Reliable private report of exploitation beginning late February 2022

Reported: October 25, 2022 12:07pm UTC (2 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/08/25/cisa-adds-ten-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:24am UTC (1 week ago)

References

Canonical

CVE-2022-24112 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24112)

Advisory

https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header (http://www.openwall.com/lists/oss-security/2022/02/11/3)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-24112 (https://github.com/Mr-xn/CVE-2022-24112) (Added by AKB Worker)

CVE-2022-24112 (https://github.com/Udyz/CVE-2022-24112) (Added by AKB Worker)

Apache-APISIX-CVE-2022-24112 (https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112) (Added by AKB Worker)

Miscellaneous

http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html

http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html

Rapid7

High

High

Low

None

None

Network

CVE-2022-24112

Description