CVE-2024-36112
📋 TL;DR
This vulnerability allows users with Dynamic Group viewing permissions to see all member objects within those groups, bypassing normal object-level permission checks. For example, a user could view all Device objects in a Dynamic Group even without device viewing permissions. This affects Nautobot users running vulnerable versions between 1.3.0-1.6.22 or 2.0.0-2.2.4.
💻 Affected Systems
- Nautobot
📦 What is this software?
Nautobot by Networktocode
Nautobot by Networktocode
⚠️ Risk & Real-World Impact
Worst Case
Privileged users with Dynamic Group access could enumerate all sensitive objects (devices, IPs, circuits) across the entire Nautobot deployment, potentially exposing network topology and configuration details to unauthorized personnel.
Likely Case
Users with limited permissions could access information about objects they shouldn't see, violating the principle of least privilege and potentially exposing sensitive network infrastructure details.
If Mitigated
With proper permission controls and upgrades, users only see objects they're explicitly authorized to view, maintaining proper access segregation.
🎯 Exploit Status
Exploitation requires authenticated access with extras.view_dynamicgroup permission. Simple API calls or UI navigation can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.23 and 2.2.5
Vendor Advisory: https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q
Restart Required: Yes
Instructions:
1. Backup your Nautobot database and configuration. 2. Upgrade to Nautobot 1.6.23 if on 1.x series. 3. Upgrade to Nautobot 2.2.5 if on 2.x series. 4. Restart Nautobot services. 5. Verify permissions are correctly enforced.
🔧 Temporary Workarounds
Remove Dynamic Group View Permissions
allTemporarily remove extras.view_dynamicgroup permission from all users except absolutely necessary administrators
🧯 If You Can't Patch
- Review and restrict extras.view_dynamicgroup permissions to only essential administrators
- Implement network segmentation to limit access to Nautobot API endpoints from unauthorized users
🔍 How to Verify
Check if Vulnerable:
Check Nautobot version via admin interface or run: nautobot-server version. If version is between 1.3.0-1.6.22 or 2.0.0-2.2.4, system is vulnerable.Check Version:
nautobot-server versionVerify Fix Applied:
After upgrade, test with a low-privilege user having extras.view_dynamicgroup permission but lacking object-level permissions. Verify they cannot see restricted objects in Dynamic Group views.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /extras/dynamic-groups/ or /api/extras/dynamic-groups/ endpoints from users with limited permissions
Network Indicators:
- Multiple GET requests to dynamic group member endpoints from single user in short timeframe
SIEM Query:
source="nautobot" AND (uri_path="/extras/dynamic-groups/*" OR uri_path="/api/extras/dynamic-groups/*/members/") AND user_permissions!="*"🔗 References
- https://github.com/nautobot/nautobot/pull/5757
- https://github.com/nautobot/nautobot/pull/5762
- https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q
- https://github.com/nautobot/nautobot/pull/5757
- https://github.com/nautobot/nautobot/pull/5762
- https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q
