Can you explain this vulnerability to me?

This vulnerability exists in Arcane, an interface for managing Docker containers and related resources. Before version 1.19.4, the application allowed an authenticated user to exploit a path traversal flaw in Docker Compose include directives. Specifically, the ProjectService.GetProjectFileContent function returned the contents of any included file before validating the file path, and ProjectService.CreateProject wrote attacker-supplied compose content to disk without validating include paths.

An attacker could create a project with a malicious compose file that includes a path like '../../../../etc/passwd', allowing them to read arbitrary files accessible by the Arcane backend process. This includes sensitive files such as the SQLite database containing user password hashes and API keys. This unauthorized file read can lead to privilege escalation to admin and remote code execution on the host via Docker control.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized disclosure of sensitive information and system compromise. An attacker with low-privilege authentication can read any file accessible by the Arcane backend, including critical files like the user database containing password hashes and API keys.

With access to these credentials, the attacker can escalate privileges to admin level within Arcane. Furthermore, because Arcane controls Docker on the host, the attacker can achieve remote code execution (RCE) on the host system, potentially compromising the entire host environment.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unsafe file inclusion in Docker Compose files managed by the Arcane application, allowing an authenticated user to read arbitrary files via path traversal in include directives.

To detect exploitation attempts or presence of this vulnerability, you can look for projects created with Docker Compose files containing suspicious include directives that reference paths outside the project directory, such as '../../../../etc/passwd'.

Since the vulnerability is related to the contents of Docker Compose include directives and their handling by Arcane, detection involves inspecting project compose files and API calls to ProjectService.GetProjectFileContent.

• Check for Docker Compose files or project configurations that include external paths using commands like: grep -r "include:" /path/to/arcane/projects
• Monitor API requests to the Arcane backend for calls to ProjectService.GetProjectFileContent that request files outside the project directory.
• Audit Arcane project directories for unexpected or suspicious files or symlinks that could indicate path traversal attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Arcane version 1.19.4 by introducing strict validation of include paths in Docker Compose files to prevent directory traversal and unauthorized file access.

Immediate mitigation steps include:

• Upgrade Arcane to version 1.19.4 or later, which contains the fix that validates and restricts include paths to within the project directory.
• Restrict access to the Arcane application to trusted authenticated users only, as the attack requires authentication.
• Audit existing projects for malicious Docker Compose include directives that reference files outside the project directory and remove or correct them.
• Monitor and restrict API usage related to project file content retrieval to detect and prevent unauthorized file reads.

Useful 0 Not Useful 0