CVE-2024-22873
📋 TL;DR
Tencent Blueking CMDB versions 3.2.x to 3.9.x contain a Server-Side Request Forgery (SSRF) vulnerability in the event subscription function. Attackers can send crafted POST requests to make the server perform unauthorized internal requests, potentially accessing sensitive internal systems. All deployments running affected versions are vulnerable.
💻 Affected Systems
- Tencent Blueking CMDB
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot from the CMDB server to access internal services like databases, cloud metadata services, or administrative interfaces, leading to full network compromise.
Likely Case
Attackers scan internal networks, access internal APIs, or retrieve sensitive information from internal services accessible to the CMDB server.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the CMDB server's own network segment.
🎯 Exploit Status
Exploitation requires sending a crafted POST request to the vulnerable endpoint. Public proof-of-concept code is available in the referenced gist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.10.x or later
Vendor Advisory: http://blueking.com
Restart Required: Yes
Instructions:
1. Backup your CMDB configuration and data. 2. Upgrade to Blueking CMDB version 3.10.x or later. 3. Restart all CMDB services. 4. Verify the fix by testing the event subscription endpoint.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict outbound network access from the CMDB server to only necessary internal services.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
WAF/Proxy Filtering
allConfigure web application firewall or reverse proxy to block requests containing internal IP addresses or domains in the subscription payload.
🧯 If You Can't Patch
- Implement strict network egress filtering from the CMDB server to prevent access to internal services.
- Disable the event subscription functionality if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Check if your CMDB version is between 3.2.x and 3.9.x by examining the service version endpoint or configuration files.Check Version:
curl -X GET http://<cmdb-host>/api/v3/versionVerify Fix Applied:
After patching, attempt to exploit the vulnerability using the public PoC. Successful exploitation should no longer be possible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /service/subscription.go with external or internal URLs in the payload
- Outbound connections from CMDB server to unexpected internal IPs
Network Indicators:
- HTTP requests from CMDB server to internal services not typically accessed
- Unusual port scanning activity originating from CMDB server
SIEM Query:
source="cmdb-logs" AND uri="/service/subscription.go" AND method="POST" AND (payload CONTAINS "http://" OR payload CONTAINS "https://")🔗 References
- http://blueking.com
- http://tencent.com
- https://gist.github.com/exp1orer/0f190c6a64b668a9b1c4c47789affa09
- https://sphenoid-enquiry-9be.notion.site/BK-CMDB-SSRF-ba21e94f4976460188fa52d26c15a6ae?pvs=4
- http://blueking.com
- http://tencent.com
- https://gist.github.com/exp1orer/0f190c6a64b668a9b1c4c47789affa09
- https://sphenoid-enquiry-9be.notion.site/BK-CMDB-SSRF-ba21e94f4976460188fa52d26c15a6ae?pvs=4
