Cloud Foundry BOSH Director Local Blobstore Arbitrary Read/Delete Vulnerability

A vulnerability exists in Cloud Foundry BOSH Director versions prior to v282.1.12, allowing arbitrary read and delete operations through the local blobstore. When the director processes long-running requests, the agent's response can be manipulated to include paths that escape the blobstore root. This exploitation could lead to unauthorized access to sensitive files and disruption of the director's operations.

Impact

Exploitation of this vulnerability could result in unauthorized access to and deletion of files on the BOSH Director, potentially including sensitive information. Such actions could disrupt the normal functioning of the director, with repeated exploitation leading to more severe consequences.

Reproduction

To reproduce this vulnerability, an attacker must have code execution on a BOSH-managed VM and control over the agent's responses to the director. This can be achieved by having root access on a deployed instance or by publishing on the agent's NATS reply subject. Once in this position, the attacker can intercept an in-flight 'compile_package' task and modify the response to include a 'blobstore_id' that points to a file outside the blobstore root. When the director processes this response, it will inadvertently expose the specified file through the 'compile_log_id' mechanism, allowing the attacker to read its contents and delete the original file, thereby exfiltrating secrets and potentially disrupting the director's operations.

Remediation

Users are advised to upgrade BOSH Director to version 282.1.12 or later. Additionally, monitoring BOSH Director task logs for unusual file access patterns, implementing network segmentation to limit VM communication, and reviewing NATS topic permissions can help mitigate this vulnerability.