Orionsec Orion-Ops Server-Side Request Forgery Vulnerability in SSH Connection Handler

A server-side request forgery (SSRF) vulnerability has been identified in Orionsec Orion-Ops versions up to master commit 5925824997a3109651bbde07460958a7be249ed1. The issue resides in the SSH Connection Handler, specifically within the MachineInfoController.java file. The vulnerability arises because the controller accepts user-supplied parameters—host, sshPort, username, password, and authType—without proper validation. This allows authenticated users to manipulate these arguments and coerce the server into initiating SSH connections to internal addresses, effectively probing the internal network for open ports and accessible services.

Impact

Exploitation of this vulnerability allows authenticated users to map the internal network from the Orion-Ops server, discover open ports, and interact with otherwise inaccessible services. This could potentially be combined with protocol smuggling to target internal systems.

Reproduction

To reproduce this vulnerability, authenticate as any non-admin user and send a POST request to the '/orion/api/machine/direct-test-connect' endpoint. Include a JSON body with the 'host' set to an internal IP address, 'sshPort' set to 22, and valid 'username' and 'password' credentials. A quick 'success' response indicates the port is open, while an error or timeout suggests it is closed. This process can be repeated with different internal addresses to map the network.

Remediation

It is recommended to restrict the direct test endpoints to administrators only. Additionally, ensure that the target host is an existing machine entry owned by the user, and reject private or non-routable addresses unless explicitly whitelisted. Consider performing connectivity checks asynchronously on the managed agent instead of from the management server.