Tenable Terrascan Server-Side Request Forgery Vulnerability Allowing Local File Read and Credential Exfiltration

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Tenable Terrascan versions through v1.18.3. The issue arises in the remote directory scan endpoint when the application is running in server mode. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP URL as the remote_url parameter, with remote_type set to 'http'. The URL is forwarded to hashicorp/go-getter (v1.7.5) without proper validation. This exploitation allows the attacker's server to redirect the download to a file:// URL, facilitating local file read. Furthermore, the vulnerability is compounded by HttpGetter's Netrc set to true, which causes it to read credentials from the user's .netrc file and send them to attacker-controlled hosts. This vulnerability affects deployments of Terrascan running as a server, which listen on all interfaces without authentication.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, which can be used to read local files and exfiltrate credentials to an attacker-controlled server.