Cloud Foundry BOSH Director Arbitrary Blobstore Deletion Vulnerability

A vulnerability in Cloud Foundry BOSH Director, all versions prior to v282.1.12, allows a compromised virtual machine (VM) to delete arbitrary data from the shared blobstore. This issue arises because the ResourceManager does not validate blobstore IDs before executing delete commands, enabling an attacker with root access on a VM to manipulate blobstore data without proper checks. The vulnerability can be exploited by responding to Director requests with crafted messages that include blobstore IDs of targeted data, which the Director then fetches and deletes from the blobstore.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of blobstore data, potentially disrupting applications that rely on the deleted resources.

Reproduction

To reproduce this vulnerability, an attacker must gain root access on a VM within a Cloud Foundry deployment. Once compromised, the attacker can respond to Director requests with messages that include valid blobstore IDs. If the Director is configured to use a local blobstore, the attacker can also exploit the vulnerability to read and exfiltrate file contents from the Director's configuration files before deleting them.

Remediation

Users are advised to upgrade BOSH Director to version v282.1.12 or later. Additionally, implement strict network segmentation between deployment VMs and the Director, monitor blobstore operations for suspicious deletion patterns, consider isolating critical deployments to dedicated BOSH Directors, and apply additional access controls on blobstore operations.