Eclipse Kura LogServlet vulnerability

Basic information

Project name: Eclipse Kura

Project id: iot.kura

What are the affected versions?

The affected component is org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1]

Details of the issue

A security vulnerability has been discovered in the Eclipse Kura LogServlet [1].

The LogServlet component has been introduced in Eclipse Kura version 5.0.0 with the intent to allow the download of the system logs.

The LogServlet uses the XSRF token to validate the received requests. It has been verified, that a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs.

It has also been observed that the downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

[1] https://github.com/eclipse/kura/blob/KURA_5.0.0_RELEASE/kura/org.eclipse.kura.web2/src/main/java/org/eclipse/kura/web/server/servlet/LogServlet.java

Steps to reproduce

Local access to Eclipse Kura Web UI is needed.

Send a request to the LogServlet with any value for the JSESSIONID cookie and include the sha1 of the JSESSIONID cookie value as the xsrfToken request parameter.

The session cookies of requests from authenticated users can be extracted from the downloaded logs archive by searching for "session.id" in /var/log/kura-audit.log. If the session id is still valid, the attacker can use it to perform new requests.

Do you know any mitigations of the issue?

An immediate mitigation is to limit access to Eclipse Kura web ui or completely disable it.

We have implemented a possible fix for the vulnerability that will be released in Eclipse Kura 5.4.2.