Orionsec Orion-Ops Improper Authorization Vulnerability in MachineKeyController API

A vulnerability exists in Orionsec Orion-Ops server component versions up to master commit 5925824997a3109651bbde07460958a7be249ed1. The issue is located in the MachineKeyController of the API component, specifically within the orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java' file. This vulnerability allows improper authorization, enabling any logged-in user to access sensitive information. The affected API endpoints do not properly validate user roles, allowing unauthorized access to SSH key data. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized users to download all registered SSH private keys from the Orion-Ops server. This access could be used to impersonate the automation server when connecting to production hosts, bypass any protections implemented by Orion-Ops, and further pivot within the victim's infrastructure.

Reproduction

To reproduce this vulnerability, authenticate as a non-admin user and request the 'POST /orion/api/machine-key/list' endpoint to collect SSH key IDs. Then, generate a download token using the 'POST /orion/api/file-download/token' endpoint with the collected key ID. Finally, download the private key via the 'GET /orion/api/file-download/{token}/exec' endpoint.

Remediation

It is recommended to restrict access to all machine key management APIs to administrator roles only. Additionally, when issuing download tokens, verify that the requesting user is authorized to access the specific key and enforce this check again when executing the download. Consider encrypting stored keys with a hardware-backed secret to prevent the API layer from returning raw key material to clients.