An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability OWASP. By exploiting this flaw, an attacker can force the server to make requests to arbitrary internal or external endpoints, including cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/ in AWS). Such behavior can lead to the exfiltration of sensitive information, including cloud instance metadata, credentials, and other critical internal data.
Due to its potential to compromise internal systems and exfiltrate sensitive cloud metadata as well as other information, this vulnerability is assessed as high severity. An attacker exploiting this SSRF flaw might gain unauthorized access to sensitive information and escalate privileges, which could result in a broader system compromise.
The fixed version (3.7.1) has moved the request to the external controller from the server side to the client side, thereby eliminating the identity of the node from being used to gain any additional permissions.
The OpenZiti project would like to thank DIABL0-SEC for reporting this issue and detailed information, enabling it to be resolved quickly.