Impact
An attacker can craft an *.etherpad file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code on the Etherpad server (including system commands) and in the browsers of users connected to the Etherpad server.
To gain privileges, the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state (issue #5010), so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old sessionstorage:* records).
Even if a reverse proxy is configured to reject access to /admin/* pages, it is still possible to crash Etherpad or bypass authorization checks to access restricted pads.
Patches
The problem has been fixed in v1.8.16. If you cannot upgrade for some reason, you can try cherry-picking the fix commits:
git cherry-pick b7065eb9a0ec..77bcb507b30e
Workarounds
If you cannot upgrade to v1.8.16 or patch, any of the following will prevent exploit:
- Install the
ep_disable_imports plugin and configure it to block *.etherpad imports. For example, you can add the following to your settings.json:
"ep_disable_imports": {
"deny": ["etherpad"]
},
- Configure your reverse proxy to reject requests to
/p/*/import. This will block all imports, not just *.etherpad imports.
- Limit all users to read-only access.
- Prevent the reuse of
express_sid cookie values that refer to deleted express-session state:
- Uninstall any plugins that enable users to delete express-session state (e.g., by calling
req.session.destroy()). Known plugins:
- If any
sessionstorage:* records are deleted, delete SESSIONKEY.txt and restart Etherpad. Etherpad will generate a new SESSIONKEY.txt file with a different key, which will invalidate the signatures in old express_sid cookies.
General Mitigations
In addition to upgrading or patching, we recommend you do the following to reduce risk if another vulnerability is discovered:
- Run Etherpad behind a reverse proxy.
- Configure your reverse proxy to reject requests to
/admin/* and /tests/*.
- Configure SELiniux or AppArmor to limit command execution or file access outside of the
etherpad-lite directory.
- Run Etherpad as a non-root user.
- Run Etherpad in a minimal container (see Docker instructions).
For more information
If you have any questions or comments about this advisory:
Impact
An attacker can craft an
*.etherpadfile that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code on the Etherpad server (including system commands) and in the browsers of users connected to the Etherpad server.To gain privileges, the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state (issue #5010), so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old
sessionstorage:*records).Even if a reverse proxy is configured to reject access to
/admin/*pages, it is still possible to crash Etherpad or bypass authorization checks to access restricted pads.Patches
The problem has been fixed in v1.8.16. If you cannot upgrade for some reason, you can try cherry-picking the fix commits:
Workarounds
If you cannot upgrade to v1.8.16 or patch, any of the following will prevent exploit:
ep_disable_importsplugin and configure it to block*.etherpadimports. For example, you can add the following to yoursettings.json:/p/*/import. This will block all imports, not just*.etherpadimports.express_sidcookie values that refer to deleted express-session state:req.session.destroy()). Known plugins:sessionstorage:*records are deleted, deleteSESSIONKEY.txtand restart Etherpad. Etherpad will generate a newSESSIONKEY.txtfile with a different key, which will invalidate the signatures in oldexpress_sidcookies.General Mitigations
In addition to upgrading or patching, we recommend you do the following to reduce risk if another vulnerability is discovered:
/admin/*and/tests/*.etherpad-litedirectory.For more information
If you have any questions or comments about this advisory: