CVE-2021-32639
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Emissary, a P2P-based workflow engine. Attackers can exploit the RegisterPeerAction and AddChildDirectoryAction endpoints to make unauthorized requests from the server, potentially accessing internal systems and leaking credentials. Organizations running Emissary version 6.4.0 are affected.
💻 Affected Systems
- Emissary
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to internal network resources, steal credentials from metadata services or internal APIs, and potentially pivot to other systems.
Likely Case
Credential leakage from internal services, unauthorized access to internal APIs, and potential data exfiltration.
If Mitigated
Limited to denial of service or failed exploitation attempts if proper network segmentation and input validation are in place.
🎯 Exploit Status
SSRF vulnerabilities typically have low exploitation complexity, especially when endpoints are exposed without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0
Vendor Advisory: https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
Restart Required: Yes
Instructions:
1. Upgrade Emissary to version 7.0 or later. 2. Restart the Emissary service. 3. Verify the upgrade was successful by checking the version.
🔧 Temporary Workarounds
Network Access Restriction
allDisable network access to Emissary from untrusted sources as recommended in the advisory.
Use firewall rules to restrict access to Emissary ports (typically 8001, 9001) to trusted IPs only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Emissary instances from sensitive internal systems.
- Deploy a web application firewall (WAF) with SSRF protection rules to filter malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check if running Emissary version 6.4.0 by examining the application version or deployment configuration.Check Version:
Check the Emissary logs or configuration files for version information, or use: java -jar emissary.jar --version (if applicable).Verify Fix Applied:
Confirm the version is 7.0 or later and test that the vulnerable endpoints no longer accept malicious URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to RegisterPeerAction or AddChildDirectoryAction endpoints with external or internal IPs in parameters.
- HTTP requests from Emissary server to unexpected internal services.
Network Indicators:
- Outbound connections from Emissary server to internal metadata services (e.g., AWS IMDS, Azure Instance Metadata) or unexpected internal APIs.
SIEM Query:
source="emissary.log" AND (uri_path="/RegisterPeerAction.do" OR uri_path="/AddChildDirectoryAction.do") AND (url_param CONTAINS "http://" OR url_param CONTAINS "https://")🔗 References
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
