Kallithea Security Notice CVE-2015-0260

API key of repository's creator exposed by get_repo API method

Synopsis

A vulnerability has been found in Kallithea, allowing remote attacker to gain access to the repositories with privileges of another existing user.

Description

The get_repo API method doesn't check the identity of the caller and exposes all details about the repository "followers" regardless of whether they have access to such data or not.

The structures returned by this method contain such sensitive information as last login timestamp, IP addresses, authentication method details and private API access keys:

"followers": [
    {
        "active": true,
        "admin": true,
        "api_key": "f5****9c",
        "api_keys": [
            "f5*****9c"
        ],
        "email": "user.name@company.com",
        "emails": [
            "user.name@company.com"
        ],
        "extern_name": "username",
        "extern_type": "pam",
        "firstname": "User",
        "ip_addresses": [],
        "last_login": "2015-02-08T18:17:39",
        "lastname": "Name",
        "user_id": 3,
        "username": "username"
    }

Impact

The exposed information allows attacker to track users and gain access to the repositories using their API keys. In the case the user also has administrator rights, it is possible for the attacker to gain full administrator access to the Kallithea instance.

Workaround

Users are advised to remove the API controller to prevent potential attackers from accessing the API. This can be achieved by deleting or commenting out lines 458-460 in kallithea/config/routing.py. An alternative to that may be blocking or limiting access to /_admin/api URLs in the configuration of the webserver or a front-end reverse proxy.

A patch to remove API controller may look like this:

diff --git a/kallithea/config/routing.py b/kallithea/config/routing.py
--- a/kallithea/config/routing.py
+++ b/kallithea/config/routing.py
@@ -455,9 +455,6 @@ def make_map(config):
     #==========================================================================
     # API V2
     #==========================================================================
-    with rmap.submapper(path_prefix=ADMIN_PREFIX,
-                        controller='api/api') as m:
-        m.connect('api', '/api')

     #USER JOURNAL
     rmap.connect('journal', '%s/journal' % ADMIN_PREFIX,

Resolution

Kallithea project has released a patch fixing this issue by removing the sensitive information from API calls. It is strongly recommended that users apply this patch. The patch applies to both 0.1 release and the latest Mercurial tip.

Unfortunately, this patch disables some API functionality where the information exposure occurred. We will continue seeking a solution which prevents unauthorised access and at the time doesn't break existing API functionality. As soon as such solution is developed, we'll notify our users.

Users are also advised to re-set or remove all existing API keys from the database. For the users having SQLite or PostgreSQL as the database backend a possible way to do so is to run the following SQL statements:

update users set api_key='disabled-'||random();
update user_api_keys set api_key='disabled-'||random();

Affected versions

The issue is currently present in all available Kallithea versions. Also, the issue affects publicly available versions of RhodeCode that support JSON-RPC API interface.

References

  1. CVE-2015-0260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0260

  2. Kallithea: Security Notice CVE-2015-0260 https://kallithea-scm.org/security/cve-2015-0260.html

  3. Patch for the issue https://kallithea-scm.org/security/cve-2015-0260.patch

  4. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/5923d74742879b812965568475e21c3496d722a9