Detection Guidance

This vulnerability involves symlinks within the Hermes WebUI workspace that resolve to files or directories outside the designated workspace root, allowing unauthorized file access.

To detect this vulnerability on your system, you can check if your Hermes WebUI version is prior to 0.51.221, as those versions are affected.

You can also inspect workspace directories for symlinks that point outside the workspace boundary. For example, using the following command in a Unix-like environment:

• find /path/to/workspace -type l -exec readlink -f {} \; | grep -v "^/path/to/workspace"

This command finds all symbolic links in the workspace and resolves their targets, then filters those that do not reside within the workspace directory, indicating potential symlink escapes.

Additionally, monitoring API calls or logs related to workspace file and listing APIs for attempts to access files outside the workspace may help detect exploitation attempts.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Hermes WebUI versions prior to v0.51.221 and is a path traversal issue. It allows attackers to bypass the intended workspace boundaries by using symbolic links (symlinks) that point to files or directories outside the designated workspace root.

The vulnerability is exploited through the workspace file and listing APIs, which resolve symlink targets without verifying that the final resolved path remains within the workspace. This flaw enables attackers to access and read files on the host system that the server process can access.

As a result, attackers can disclose sensitive data such as SSH keys, cloud credentials, or application tokens stored outside the workspace.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts by allowing unauthorized access to sensitive files on the host system.

• Attackers can read sensitive information such as SSH keys, which could allow them to gain further unauthorized access to systems.
• Disclosure of cloud credentials could lead to compromise of cloud resources and data.
• Exposure of application tokens may allow attackers to impersonate legitimate users or services.

Overall, exploitation of this vulnerability can lead to data breaches, unauthorized access, and potential further compromise of systems.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to read external host files accessible to the server process, potentially disclosing sensitive data such as SSH keys, cloud credentials, or application tokens.

This unauthorized disclosure of sensitive information could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Hermes WebUI to version 0.51.221 or later, where this vulnerability has been fixed.

The fix enforces that resolved file paths remain within the workspace boundary, blocks symlink escapes, hides escaping symlinks from directory listings, and hardens the file API against race conditions.

If upgrading immediately is not possible, consider restricting access to the Hermes WebUI to trusted users only and avoid allowing untrusted workspaces that could contain malicious symlinks.

Also, audit and remove any symlinks within workspaces that point outside the workspace root to reduce risk.

Useful 0 Not Useful 0