CVE-2022-25800 – This vulnerability allows Server-Side Request F... (How to Fix)

Q: What is the severity of CVE-2022-25800?

CVE-2022-25800 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows Server-Side Request Forgery (SSRF) attacks through the whois lookup tool in Best Practical RT for Incident Response (RTIR). Attackers can make the application send unauthorized requests to internal or external systems. Organizations running vulnerable RTIR versions are affected.

📋 TL;DR

This vulnerability allows Server-Side Request Forgery (SSRF) attacks through the whois lookup tool in Best Practical RT for Incident Response (RTIR). Attackers can make the application send unauthorized requests to internal or external systems. Organizations running vulnerable RTIR versions are affected.

💻 Affected Systems

Products:

Best Practical RT for Incident Response (RTIR)

Versions: RTIR versions before 4.0.3 and 5.x versions before 5.0.3

Operating Systems: All platforms running RTIR

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the whois lookup feature enabled are vulnerable. This is a core feature of RTIR.

📦 What is this software?

Request Tracker For Incident Response by Bestpractical

View all CVEs affecting Request Tracker For Incident Response →

Request Tracker For Incident Response by Bestpractical

View all CVEs affecting Request Tracker For Incident Response →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network, potentially leading to full network compromise.

🟠

Likely Case

Attackers scan internal networks, access metadata services, or interact with internal APIs to gather information about the infrastructure.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to information disclosure from accessible internal services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to RTIR. The SSRF vulnerability is in the whois lookup functionality which is typically accessible to users with appropriate permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RTIR 4.0.3 and RTIR 5.0.3

Vendor Advisory: https://docs.bestpractical.com/release-notes/rtir/index.html

Restart Required: Yes

Instructions:

1. Backup your RTIR installation and database. 2. Download RTIR 4.0.3 or 5.0.3 from Best Practical. 3. Follow the upgrade instructions for your version. 4. Restart the RTIR service. 5. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable whois lookup feature

all

Temporarily disable the vulnerable whois lookup functionality until patching is possible

# Modify RTIR configuration to disable whois lookups
# Consult RTIR documentation for specific configuration changes

Restrict network egress

linux

Implement egress filtering to limit what systems RTIR can communicate with

# Configure firewall rules to restrict RTIR server outbound connections
# Example: iptables -A OUTPUT -p tcp --dport 43 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate RTIR from sensitive internal systems
Monitor and log all outbound connections from RTIR servers for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check your RTIR version. If running RTIR < 4.0.3 or RTIR 5.x < 5.0.3, you are vulnerable.

Check Version:

Check RTIR web interface or configuration files for version information

Verify Fix Applied:

Verify RTIR version is 4.0.3 or higher (for RTIR 4.x) or 5.0.3 or higher (for RTIR 5.x). Test whois lookup functionality to ensure it properly validates URLs.

📡 Detection & Monitoring

Log Indicators:

Unusual whois lookup patterns
Multiple whois requests to non-standard domains
Whois requests to internal IP addresses

Network Indicators:

RTIR server making unexpected outbound connections
Traffic from RTIR to internal services not typically accessed

SIEM Query:

source="rtir_logs" AND (whois OR lookup) AND (internal_ip OR 127.0.0.1 OR 169.254.169.254)

📊 Metadata

CVE ID: CVE-2022-25800

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: July 14, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.bestpractical.com/release-notes/rtir/4.0.3 Patch,Release Notes,Vendor Advisory
https://docs.bestpractical.com/release-notes/rtir/5.0.3 Patch,Release Notes,Vendor Advisory
https://docs.bestpractical.com/release-notes/rtir/index.html Release Notes,Vendor Advisory
https://docs.bestpractical.com/release-notes/rtir/4.0.3 Patch,Release Notes,Vendor Advisory
https://docs.bestpractical.com/release-notes/rtir/5.0.3 Patch,Release Notes,Vendor Advisory
https://docs.bestpractical.com/release-notes/rtir/index.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25800, you might also want to check these: