CVE-2024-47222
📋 TL;DR
This vulnerability in Cloud MyOffice SDK Collaborative Editing Server allows Server-Side Request Forgery (SSRF) through manipulation of MS-WOPI protocol requests from external document storage. Attackers can force the server to make unauthorized requests to internal systems, potentially accessing sensitive data or services. Organizations using MyOffice SDK Collaborative Editing Server versions 2.2.2 through 2.8 are affected.
💻 Affected Systems
- Cloud MyOffice SDK Collaborative Editing Server
📦 What is this software?
My Office Sdk by Myoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network via SSRF to access cloud metadata services, internal APIs, or administrative interfaces, potentially leading to data exfiltration, lateral movement, or full system takeover.
Likely Case
Unauthorized access to internal services and data via SSRF, potentially exposing sensitive information, internal APIs, or cloud metadata that could be leveraged for further attacks.
If Mitigated
Limited impact with proper network segmentation and egress filtering, restricting the server's ability to reach sensitive internal resources even if SSRF is successful.
🎯 Exploit Status
SSRF vulnerabilities typically have low exploitation complexity, especially when unauthenticated. The MS-WOPI protocol manipulation aspect may require specific knowledge but is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://support.myoffice.ru/products/myoffice-sdk/
Restart Required: No
Instructions:
1. Monitor vendor advisory for patch release. 2. Upgrade to fixed version when available. 3. Apply patch following vendor instructions.
🔧 Temporary Workarounds
Network Segmentation and Egress Filtering
allRestrict outbound network access from the Collaborative Editing Server to only necessary external services.
Input Validation for MS-WOPI Requests
allImplement strict validation and allowlisting for MS-WOPI protocol requests, particularly for external document storage URLs.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable server from sensitive internal systems
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in MS-WOPI requests
🔍 How to Verify
Check if Vulnerable:
Check server version via administrative interface or configuration files. If version is between 2.2.2 and 2.8 inclusive, system is vulnerable.Check Version:
Check application configuration or administrative console for version informationVerify Fix Applied:
Verify version has been upgraded beyond 2.8 or vendor-provided patch has been applied. Test SSRF attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from server to internal IP ranges
- MS-WOPI protocol requests with unusual URL patterns or internal addresses
- Failed authentication attempts to internal services from server IP
Network Indicators:
- Server making unexpected HTTP/HTTPS requests to internal network segments
- Traffic patterns suggesting SSRF attempts to cloud metadata services
SIEM Query:
source_ip="[server_ip]" AND (dest_ip="169.254.169.254" OR dest_ip="10.*" OR dest_ip="172.16.*" OR dest_ip="192.168.*") AND http_method IN ("GET", "POST")