CVE-2024-41664
📋 TL;DR
Canarytokens.org had a blind Server-Side Request Forgery (SSRF) vulnerability in its webhook alert feature that allowed attackers to map internal network ports when creating Canarytokens. This affected all users of Canarytokens.org and self-hosted installations before the patch. The vulnerability was in the test request functionality that validated webhook URLs without proper safety checks.
💻 Affected Systems
- Canarytokens
- Canarytokens.org
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map internal infrastructure, discover services, and potentially pivot to internal systems if vulnerable services are exposed.
Likely Case
Internal network reconnaissance revealing open ports and services within the Canarytokens infrastructure.
If Mitigated
Limited to port scanning of internal infrastructure with no data exfiltration or system compromise.
🎯 Exploit Status
Exploitation requires creating a Canarytoken with a malicious webhook URL. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Docker image sha-8ea5315 and later
Vendor Advisory: https://github.com/thinkst/canarytokens/security/advisories/GHSA-g6h5-pf7p-qmvj
Restart Required: Yes
Instructions:
1. For self-hosted installations: Pull the latest Docker image or any image after sha-097d91a. 2. Restart the Canarytokens container. 3. For Canarytokens.org users: The service has been patched automatically.
🔧 Temporary Workarounds
Disable webhook alerts
allConfigure Canarytokens to use email alerts only instead of webhooks
Network segmentation
linuxRestrict Canarytokens container network access to prevent internal scanning
docker run --network=none ...
Use Docker network policies to limit egress
🧯 If You Can't Patch
- Monitor for unusual webhook URL patterns in Canarytoken creation logs
- Implement network egress filtering to restrict Canarytokens container outbound connections
🔍 How to Verify
Check if Vulnerable:
Check Docker image version: docker inspect canarytokens | grep -i shaCheck Version:
docker inspect canarytokens | grep -i shaVerify Fix Applied:
Verify running Docker image is sha-8ea5315 or later: docker ps --format '{{.Image}}' | grep canarytokens📡 Detection & Monitoring
Log Indicators:
- Unusual webhook URLs in Canarytoken creation logs
- Multiple failed webhook test requests to internal IPs
Network Indicators:
- Outbound connections from Canarytokens container to internal IP ranges on various ports
SIEM Query:
source="canarytokens" AND (url="*://10.*" OR url="*://192.168.*" OR url="*://172.16.*")