CVE-2024-39713
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in Rocket.Chat's Twilio webhook endpoint allows attackers to make unauthorized requests to internal systems. It affects Rocket.Chat instances before version 6.10.1 that have the Twilio integration enabled. Attackers can potentially access internal services that should not be exposed.
💻 Affected Systems
- Rocket.Chat
📦 What is this software?
Rocket.chat by Rocket.chat
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration from internal systems, and potential lateral movement to other critical infrastructure.
Likely Case
Information disclosure from internal services, enumeration of internal network topology, and potential access to metadata services in cloud environments.
If Mitigated
Limited impact due to network segmentation, with only non-critical internal services accessible and no sensitive data exposure.
🎯 Exploit Status
Exploitation requires access to the Twilio webhook endpoint but does not require authentication to Rocket.Chat itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.10.1
Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases/tag/6.10.1
Restart Required: Yes
Instructions:
1. Backup your Rocket.Chat instance and database. 2. Update to version 6.10.1 or later using your deployment method (Docker, Snap, manual). 3. Restart the Rocket.Chat service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Twilio Integration
allTemporarily disable the Twilio webhook integration until patching is possible.
Navigate to Administration > Workspace > Settings > OAuth > Twilio and disable the integration
Network Segmentation
allRestrict outbound network access from the Rocket.Chat server to only necessary external services.
Configure firewall rules to block outbound HTTP/HTTPS from Rocket.Chat server except to required external APIs
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rocket.Chat from internal services
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Rocket.Chat version is below 6.10.1 and Twilio integration is enabled in Administration settings.Check Version:
Check Administration > Info or run `rocketchatctl version` in terminalVerify Fix Applied:
Confirm Rocket.Chat version is 6.10.1 or higher and test the Twilio webhook endpoint with SSRF payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Rocket.Chat server to internal IP addresses
- Requests to metadata services (169.254.169.254, 100.100.100.200)
- Multiple failed webhook calls to unusual domains
Network Indicators:
- HTTP requests from Rocket.Chat server to internal network ranges
- Requests to localhost/127.0.0.1 from the server itself
- Unusual port scanning patterns from the server
SIEM Query:
source="rocketchat" AND (url="*169.254.169.254*" OR url="*127.0.0.1*" OR url="*localhost*" OR dst_ip=10.0.0.0/8 OR dst_ip=172.16.0.0/12 OR dst_ip=192.168.0.0/16)