CVE-2024-9825
📋 TL;DR
This CVE describes an indirect object reference (IDOR) vulnerability in Chef Habitat builder-api that allows unauthorized deletion of personal tokens. Attackers can delete tokens belonging to other users, potentially disrupting CI/CD pipelines and automation workflows. Organizations using vulnerable versions of Chef Habitat builder-api are affected.
💻 Affected Systems
- Chef Habitat builder-api
- Chef Habitat builder (consumes builder-api as dependency)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers systematically delete all personal tokens, causing complete disruption of automated deployments, CI/CD failures, and service outages across the infrastructure.
Likely Case
Targeted deletion of specific user tokens causing temporary disruption to automation workflows and requiring token regeneration.
If Mitigated
Minimal impact with proper access controls and monitoring, though token deletion would still require regeneration efforts.
🎯 Exploit Status
Exploitation requires some level of access to the system, though not necessarily authorization for the specific token deletion action.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: habitat/builder-api/10315/20240913162802 and all subsequent versions
Vendor Advisory: https://community.progress.com/s/article/Chef-Habitat-Builder-Product-Alert
Restart Required: Yes
Instructions:
1. Update to habitat/builder-api/10315/20240913162802 or later. 2. Use the on-prem stable channel as recommended. 3. Restart the builder-api service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit network access to builder-api endpoints to only trusted sources and implement API rate limiting.
# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport <builder-api-port> -s <trusted-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <builder-api-port> -j DROP
Enhanced Monitoring
allImplement monitoring for token deletion events and alert on suspicious patterns.
# Monitor builder-api logs for token deletion events
grep -i 'token.*delete' /var/log/habitat/builder-api.log
🧯 If You Can't Patch
- Implement strict network segmentation to isolate builder-api from untrusted networks.
- Enforce principle of least privilege for all user accounts and implement multi-factor authentication.
🔍 How to Verify
Check if Vulnerable:
Check the installed builder-api package version: hab pkg list | grep builder-apiCheck Version:
hab pkg list | grep builder-apiVerify Fix Applied:
Verify the version is 10315/20240913162802 or higher: hab pkg list | grep builder-api | grep -E '10315/20240913162802|^[0-9]{5}/[0-9]{14}'📡 Detection & Monitoring
Log Indicators:
- Unauthorized token deletion attempts
- Multiple token deletion events from single source
- Failed authentication followed by token operations
Network Indicators:
- Unusual API call patterns to token deletion endpoints
- Requests to /v1/depot/tokens/* from unauthorized sources
SIEM Query:
source="builder-api" AND (event="token_delete" OR endpoint="/v1/depot/tokens/*") AND NOT user IN [authorized_users]