CVE-2020-36247
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Open OnDemand, a web-based interface for high-performance computing clusters. It allows attackers to trick authenticated users into performing unintended actions, such as modifying configurations or accessing data, without their consent. Users of Open OnDemand versions before 1.5.7 and 1.6.x before 1.6.22 are affected.
💻 Affected Systems
- Open OnDemand
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could exploit this to perform administrative actions, such as changing user permissions, deleting data, or executing arbitrary commands on the underlying system, leading to full compromise of the Open OnDemand instance and potentially the cluster.
Likely Case
Attackers may use this to manipulate user sessions, steal sensitive information, or alter configurations, resulting in data breaches or service disruption for authenticated users.
If Mitigated
With proper CSRF protections like anti-CSRF tokens or same-site cookies, the risk is significantly reduced, limiting exploitation to scenarios where these controls are bypassed or misconfigured.
🎯 Exploit Status
Exploitation requires an authenticated user to interact with a malicious web page, making it relatively straightforward for attackers with social engineering capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.7 or 1.6.22 and later
Vendor Advisory: https://listsprd.osu.edu/pipermail/ood-users/2020-April/000397.html
Restart Required: Yes
Instructions:
1. Backup your Open OnDemand configuration and data. 2. Update Open OnDemand to version 1.5.7 or 1.6.22 or later using your package manager (e.g., 'yum update open-ondemand' on RHEL/CentOS or 'apt-get update && apt-get upgrade open-ondemand' on Debian/Ubuntu). 3. Restart the Open OnDemand services (e.g., 'systemctl restart ondemand'). 4. Verify the update by checking the version.
🔧 Temporary Workarounds
Implement CSRF Tokens Manually
allAdd anti-CSRF tokens to all forms and state-changing requests in Open OnDemand to prevent unauthorized actions.
Modify Open OnDemand application code to include CSRF tokens; specific commands depend on the deployment environment and require developer intervention.
Enforce Same-Site Cookies
linuxConfigure web server settings to use SameSite=Strict or Lax for cookies, reducing CSRF risk by restricting cross-site requests.
Set 'SameSite=Strict' in cookie headers via web server configuration (e.g., in Apache or Nginx settings).
🧯 If You Can't Patch
- Restrict access to Open OnDemand to trusted internal networks only, using firewalls or VPNs to limit exposure.
- Educate users about CSRF risks and advise them to avoid clicking on suspicious links or using the application while logged in on untrusted devices.
🔍 How to Verify
Check if Vulnerable:
Check the Open OnDemand version by running 'ondemand --version' or inspecting the web interface; if it is below 1.5.7 or in the 1.6.x series below 1.6.22, it is vulnerable.Check Version:
ondemand --versionVerify Fix Applied:
After updating, run 'ondemand --version' to confirm the version is 1.5.7 or 1.6.22 or later, and test CSRF protections by attempting to submit a form without a valid token.📡 Detection & Monitoring
Log Indicators:
- Look for unexpected POST requests from external sources in web server logs, or failed CSRF token validations in application logs.
Network Indicators:
- Monitor for anomalous cross-origin requests to Open OnDemand endpoints, especially those that change state without user interaction.
SIEM Query:
Example SIEM query: 'source=web_logs AND (url_path CONTAINS "/ondemand/" AND method=POST AND referer NOT CONTAINS "trusted-domain.com")'