Dragonfly, Improper Certificate Validation, CVE-2023-37529 (Critical)

Listen to this Post

The vulnerability exists in the Manager’s Certificate gRPC service. The service receives a certificate signing request (CSR) from a peer. It extracts the peer’s connection IP address from the gRPC context (p.Addr). The code then parses the CSR, which contains a list of requested IP addresses for the certificate. Crucially, the service only performs a signature check on the CSR but completely skips the vital validation step. The `// TODO only valid for peer ip` comment highlights this missing logic. It fails to verify that the IP addresses in the CSR (csr.IPAddresses) match the IP address the peer is actually connecting from (ip). Therefore, a peer connecting from IP A can successfully request a TLS certificate for any other IP B, bypassing mTLS authentication.
Platform: Dragonfly
Version: < v2.1.0
Vulnerability: Improper IP Validation
Severity: Critical

date: 2023-07-XX

Prediction: 2023-07-31

What Undercode Say:

openssl req -new -key peer.key -subj "/CN=arbitrary-ip" -addext "subjectAltName = IP:192.168.1.100" -out malicious.csr
grpcurl -insecure -d @ [manager-addr] api.v1.CertificateService.CreateCertificate < malicious.csr
// Vulnerable code snippet
ips := csr.IPAddresses // Uses unchecked CSR IPs
// Patched code snippet
if !validateIPs(csr.IPAddresses, peerIP) { return error }
ips = []net.IP{net.ParseIP(peerIP)}

How Exploit:

Attacker connects from own IP.

Requests cert for victim’s IP.

Uses cert to impersonate victim.

Protection from this CVE

Upgrade to v2.1.0.

Impact:

mTLS Bypass

Arbitrary IP Impersonation

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top