On October 17, 2023, two critical security flaws were discovered in CasaOS, an open-source personal cloud software. These vulnerabilities, known as CVE-2023-37265 and CVE-2023-37266, have a high CVSS score of 9.8 out of 10. Sonar security researcher Thomas Chauchefoin, who found the bugs, explained that they allow attackers to bypass authentication requirements and gain full access to the CasaOS dashboard.
In addition, CasaOS’ support for third-party applications can be exploited to run arbitrary commands on the system, granting persistent access to the device or entry into internal networks.
The flaws were responsibly disclosed on July 3, 2023, and were addressed in version 0.4.4 released by IceWhale, the maintainers of CasaOS, on July 14, 2023.
The first flaw, CVE-2023-37265, involves incorrect identification of the source IP address, enabling unauthenticated attackers to execute arbitrary commands as root on CasaOS instances. The second flaw, also CVE-2023-37265, allows unauthenticated attackers to create arbitrary JSON Web Tokens (JWTs) and access authentication-required features to execute arbitrary commands as root on CasaOS instances.
Exploiting these vulnerabilities can allow attackers to bypass authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.
Thomas Chauchefoin advises against relying on IP address identification at the application layer for security decisions, as it is prone to risks and various headers can contain this information.