Response from the Budibase Team
Dear Budibase Community,
We would like to inform you of a security incident that occurred on March 7, 2023. An external security researcher notified us of a potential security issue in the Budibase cloud platform running on AWS. Upon investigation, we discovered a Server-Side Request Forgery (SSRF) vulnerability that could have potentially allowed an attacker to access the internal AWS metadata IP and retrieve a temporary AWS secret key. This vulnerability was present in the network infrastructure rules which permitted connections to the internal AWS metadata IP address from the Budibase REST connector.
We take the security of our platform very seriously and immediately took action to contain the vulnerability. After restricting the potential for the vulnerability to be exploited we engaged in extensive log and database analysis. We concluded that the issue was not exploited and was only discovered by the security researcher. We patched the issue in a matter of minutes, and the production cloud environment is now completely secure from this vulnerability. We also confirmed that the AWS role that would have been exploited did not have access to the production database.
For those using the budibase cloud, no action needs to be taken. Although this vulnerability has not been exploited, as a precautionary measure we have cycled all of our AWS keys and production database credentials.
For budibase self-host users, if you are planning on running Budibase on the public internet and are using a cloud provider that allows HTTP access to metadata information, ensure that when you are deploying budibase live, your internal metadata endpoint is not exposed, which should be the default on most modern setups and require no configuration on your side.
In light of this incident, we have taken steps to bolster our security program. Despite the fact that this vulnerability was not exploited and was fixed quickly, we added functionality to allow cycling of all the keys in our production databases and servers and we introduced new keys for all of the current AWS users in the budibase organization. We also added the ability to blacklist IPs at the application level for additional protection at the node service level if required.
Sincerely,
The Budibase Team
Original Report
Summary
The rest api http request can connect to internal ip leads into ssrf and can get aws secret key
Step To Reproduce
- Login to your account
- Then click add new source
- Click import button and choose raw text
- Paste this into textarea curl -u "http://169.254.169.254/latest/meta-data/iam/security-credentials/eksctl-budibase-eks-production-no-NodeInstanceRole-11ADSAK71IO6U"
- Then save it
- After that go to the source that you was make before and click send button
- You’ll see your aws secret key in there
PoC
Impact
This attack can leads attacker to get budibase aws secretkey
votr123 Reporter
Rory-Powell Remediation developer
mike12345567 Remediation developer
shogunpurple Remediation developer
Response from the Budibase Team
Dear Budibase Community,
We would like to inform you of a security incident that occurred on March 7, 2023. An external security researcher notified us of a potential security issue in the Budibase cloud platform running on AWS. Upon investigation, we discovered a Server-Side Request Forgery (SSRF) vulnerability that could have potentially allowed an attacker to access the internal AWS metadata IP and retrieve a temporary AWS secret key. This vulnerability was present in the network infrastructure rules which permitted connections to the internal AWS metadata IP address from the Budibase REST connector.
We take the security of our platform very seriously and immediately took action to contain the vulnerability. After restricting the potential for the vulnerability to be exploited we engaged in extensive log and database analysis. We concluded that the issue was not exploited and was only discovered by the security researcher. We patched the issue in a matter of minutes, and the production cloud environment is now completely secure from this vulnerability. We also confirmed that the AWS role that would have been exploited did not have access to the production database.
For those using the budibase cloud, no action needs to be taken. Although this vulnerability has not been exploited, as a precautionary measure we have cycled all of our AWS keys and production database credentials.
For budibase self-host users, if you are planning on running Budibase on the public internet and are using a cloud provider that allows HTTP access to metadata information, ensure that when you are deploying budibase live, your internal metadata endpoint is not exposed, which should be the default on most modern setups and require no configuration on your side.
In light of this incident, we have taken steps to bolster our security program. Despite the fact that this vulnerability was not exploited and was fixed quickly, we added functionality to allow cycling of all the keys in our production databases and servers and we introduced new keys for all of the current AWS users in the budibase organization. We also added the ability to blacklist IPs at the application level for additional protection at the node service level if required.
Sincerely,
The Budibase Team
Original Report
Summary
The rest api http request can connect to internal ip leads into ssrf and can get aws secret key
Step To Reproduce
PoC
Impact
This attack can leads attacker to get budibase aws secretkey