CVE-2023-29193
SpiceDB Command-Line Flag Preshared Key Exfiltration Defence Evasion Vulnerability
Description
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1. ### Impact All deployments abiding by the recommended best practices for production usage are **NOT affected**: - Authzed's SpiceDB Serverless - Authzed's SpiceDB Dedicated - SpiceDB Operator Users configuring SpiceDB via environment variables are **NOT affected**. Users **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-line flag. ### Patches TODO ### Workarounds To workaround this issue you can do one of the following: - Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve`) - Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-addr=localhost:9090`) - Disable the metrics service via the flag (e.g. `--metrics-enabled=false`) - Adopt one of the recommended deployment models: [Authzed's managed services](https://authzed.com/pricing) or the [SpiceDB Operator](https://github.com/authzed/spicedb-operator) ### References - [GitHub Security Advisory issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6) - [Go issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to the internet - [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof registration to the default serve mux - [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue ### Credit We'd like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing this vulnerability.
INFO
Published Date :
April 14, 2023, 8:15 p.m.
Last Modified :
April 24, 2023, 4:22 p.m.
Source :
[email protected]
Remotely Exploitable :
No
Impact Score :
5.8
Exploitability Score :
2.3
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-29193.
| URL | Resource |
|---|---|
| https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999 | Patch |
| https://github.com/authzed/spicedb/releases/tag/v1.19.1 | Release Notes Vendor Advisory |
| https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6 | Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-29193 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2023-29193 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Apr. 24, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Changed Reference Type https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999 No Types Assigned https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999 Patch Changed Reference Type https://github.com/authzed/spicedb/releases/tag/v1.19.1 No Types Assigned https://github.com/authzed/spicedb/releases/tag/v1.19.1 Release Notes, Vendor Advisory Changed Reference Type https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6 No Types Assigned https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6 Vendor Advisory Added CPE Configuration OR *cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:* versions up to (excluding) 1.19.1
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-29193 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-29193
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.14 }} 0.01%
score
0.49027
percentile