Listen to this Post
The vulnerability exists in the Manager’s Certificate gRPC service. The service receives a certificate signing request (CSR) from a peer. It extracts the peer’s connection IP address from the gRPC context (p.Addr). The code then parses the CSR, which contains a list of requested IP addresses for the certificate. Crucially, the service only performs a signature check on the CSR but completely skips the vital validation step. The `// TODO only valid for peer ip` comment highlights this missing logic. It fails to verify that the IP addresses in the CSR (csr.IPAddresses) match the IP address the peer is actually connecting from (ip). Therefore, a peer connecting from IP A can successfully request a TLS certificate for any other IP B, bypassing mTLS authentication.
Platform: Dragonfly
Version: < v2.1.0
Vulnerability: Improper IP Validation
Severity: Critical
date: 2023-07-XX
Prediction: 2023-07-31
What Undercode Say:
openssl req -new -key peer.key -subj "/CN=arbitrary-ip" -addext "subjectAltName = IP:192.168.1.100" -out malicious.csr grpcurl -insecure -d @ [manager-addr] api.v1.CertificateService.CreateCertificate < malicious.csr
// Vulnerable code snippet
ips := csr.IPAddresses // Uses unchecked CSR IPs
// Patched code snippet
if !validateIPs(csr.IPAddresses, peerIP) { return error }
ips = []net.IP{net.ParseIP(peerIP)}
How Exploit:
Attacker connects from own IP.
Requests cert for victim’s IP.
Uses cert to impersonate victim.
Protection from this CVE
Upgrade to v2.1.0.
Impact:
mTLS Bypass
Arbitrary IP Impersonation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

