CVE-2024-29026
📋 TL;DR
This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Owncast versions 0.1.2 and prior. Attackers can exploit the lenient CORS policy to make cross-origin requests that read privileged information, potentially leaking the admin password. This affects all users running vulnerable Owncast instances.
💻 Affected Systems
- Owncast
📦 What is this software?
Owncast by Owncast Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal admin credentials, gain full control of the Owncast instance, and potentially compromise the underlying server or use it for further attacks.
Likely Case
Attackers exfiltrate admin passwords or other sensitive data from vulnerable Owncast instances, leading to unauthorized access and potential service disruption.
If Mitigated
With proper CORS restrictions, cross-origin requests are blocked, preventing credential theft and maintaining the integrity of the admin interface.
🎯 Exploit Status
The vulnerability is straightforward to exploit via web-based attacks, and proof-of-concept code is available in the GitHub Security Lab advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 9215d9ba0f29d62201d3feea9e77dcd274581624
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
Restart Required: Yes
Instructions:
1. Update Owncast to a version containing commit 9215d9ba0f29d62201d3feea9e77dcd274581624 or later. 2. Restart the Owncast service. 3. Verify the CORS headers are properly restricted.
🔧 Temporary Workarounds
Configure Reverse Proxy CORS Restrictions
allAdd strict CORS headers at the reverse proxy level (nginx, Apache, etc.) to block cross-origin requests to the Owncast admin interface.
# Example nginx configuration:
add_header 'Access-Control-Allow-Origin' 'https://your-domain.com' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
🧯 If You Can't Patch
- Isolate the Owncast instance behind a firewall or VPN to restrict access to trusted networks only.
- Implement network-level monitoring for suspicious cross-origin requests to the Owncast admin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if the Owncast instance responds with permissive CORS headers (e.g., Access-Control-Allow-Origin: *) on admin endpoints. Use browser developer tools or curl: curl -I https://your-owncast-instance/api/admin/statusCheck Version:
Check the Owncast web interface dashboard or run: owncast --versionVerify Fix Applied:
Verify that CORS headers are restricted to specific origins and cross-origin requests to admin endpoints are blocked. Test with: curl -H 'Origin: https://malicious-site.com' -I https://your-owncast-instance/api/admin/status📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from unexpected origins
- Requests to /api/admin/* endpoints with suspicious Origin headers
Network Indicators:
- Cross-origin requests to admin API endpoints from unauthorized domains
- Unusual traffic patterns to the Owncast instance
SIEM Query:
Example: source='owncast.log' AND (uri_path='/api/admin/*' AND http_header.origin!='https://trusted-domain.com')🔗 References
- https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
- https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
- https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
- https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
- https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
- https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/
