Can you explain this vulnerability to me?

This vulnerability affects Mastodon servers that have enabled the experimental FASP feature. An unauthenticated attacker can register a FASP with a maliciously crafted base_url that includes or resolves to a local or internal network address. This causes the Mastodon server to make HTTP(S) requests to internal systems. Although the attacker cannot control the full URL requested or see the response, this behavior can potentially trigger vulnerabilities or undesired actions on those internal systems. The issue is a Server-Side Request Forgery (SSRF) vulnerability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability affects Mastodon servers that have enabled the experimental FASP feature by setting the environment variable EXPERIMENTAL_FEATURES to include "fasp". Detection involves verifying if your Mastodon server is running a vulnerable version (4.4.0 through 4.4.13 or 4.5.0 through 4.5.6) and if the experimental FASP feature is enabled.'}, {'type': 'paragraph', 'content': 'You can check the environment variable with a command like:'}, {'type': 'list_item', 'content': 'echo $EXPERIMENTAL_FEATURES'}, {'type': 'paragraph', 'content': 'To detect if the vulnerable FASP registration is being exploited, monitor outgoing HTTP(S) requests from the Mastodon server to internal or local IP addresses, which should not normally occur.'}, {'type': 'paragraph', 'content': 'For example, you can use network monitoring tools or commands such as:'}, {'type': 'list_item', 'content': 'sudo tcpdump -i <interface> host 10.0.0.0/8 or host 192.168.0.0/16 or host 172.16.0.0/12'}, {'type': 'list_item', 'content': 'sudo netstat -anp | grep mastodon'}, {'type': 'paragraph', 'content': 'Additionally, reviewing Mastodon logs for FASP registration attempts with suspicious base_url values that resolve to local/internal addresses can help detect exploitation.'}] [2, 1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update your Mastodon server to a fixed version: 4.4.14 or later, or 4.5.7 or later, which include patches addressing this vulnerability.'}, {'type': 'paragraph', 'content': 'If you are actively testing the experimental FASP feature (enabled via the EXPERIMENTAL_FEATURES environment variable including "fasp"), you should either:'}, {'type': 'list_item', 'content': 'Disable the experimental FASP feature by removing "fasp" from the EXPERIMENTAL_FEATURES environment variable until you can update.'}, {'type': 'list_item', 'content': 'Or immediately upgrade to a patched Mastodon release that includes the fix.'}, {'type': 'paragraph', 'content': 'Servers not using the experimental FASP feature are not affected and do not require action.'}] [2, 1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If your Mastodon server has the experimental FASP feature enabled, an attacker could exploit this vulnerability to make your server send requests to internal or local network addresses. This could lead to triggering vulnerabilities or unintended behavior in internal systems that your server can reach. While the attacker cannot see the responses or fully control the requested URLs, the forced requests themselves could cause security issues or disruptions within your internal network.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0