Executive Summary

This vulnerability is a broken access control flaw in the GoClaw software up to version 3.11.3. It occurs in the handleSave function of the internal/http/tts_config.go file within the RoleAdmin Gateway component. The issue allows an unprivileged user with Viewer access to bypass tenant-level role verification and gain administrative privileges (RoleAdmin) improperly.

Specifically, when a request authenticates via the Web Gateway Token, the system mistakenly grants RoleAdmin permissions to any authenticated user within the tenant, even those who should only have read-only access. This happens because the requireTenantAdmin() check was omitted in certain endpoints like the TTS configuration and storage actions.

As a result, a Viewer can modify, delete, or upload administrative tenant configurations such as Text-to-Speech settings and storage files without proper authorization. The vulnerability is remotely exploitable and an exploit has been published.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts if exploited:

• Unauthorized modification or deletion of critical tenant configurations, including Text-to-Speech settings and storage files.
• Privilege escalation from Viewer to RoleAdmin, allowing attackers to perform administrative actions without permission.
• Potential system disruption such as Denial of Service (DoS).
• Possibility of Server-Side Request Forgery (SSRF) attacks.
• Data deletion or unauthorized file traversal attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if unprivileged tenant members with Viewer access are able to modify, delete, or upload administrative tenant configurations such as Text-to-Speech (TTS) settings and storage files. Detection involves verifying whether the gateway authentication token improperly grants RoleAdmin permissions to users who should only have Viewer access.

One approach is to attempt to reproduce the exploit using the provided Python scripts that demonstrate unauthorized modifications to TTS settings and storage configurations. Monitoring API requests to the GoClaw server for unauthorized configuration changes can also help detect exploitation.

Specific commands are not detailed in the provided resources, but you can monitor network traffic for suspicious API calls to endpoints related to TTS configuration or storage, especially those authenticated via the GOCLAW_GATEWAY_TOKEN.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading GoClaw to a version later than 3.11.3 where this vulnerability has been patched.

If upgrading is not immediately possible, restrict or disable the use of the GOCLAW_GATEWAY_TOKEN to prevent unauthorized privilege escalation.

Additionally, review and tighten access controls on tenant configurations, especially for TTS settings and storage endpoints, to ensure that requireTenantAdmin() checks are properly enforced.

Monitor logs and API usage for suspicious activity indicative of privilege escalation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in GoClaw allows an unprivileged tenant member with Viewer access to escalate privileges to RoleAdmin and modify or delete critical administrative configurations without proper authorization.

Such improper privilege management and unauthorized access could lead to unauthorized data modification or deletion, potentially impacting the confidentiality, integrity, and availability of sensitive data.

This kind of security flaw may negatively affect compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Useful 0 Not Useful 0