Serious security vulnerabilities in the open-source app Rocket.Chat could allow an adversary to take over a server. The developers have deployed the patches following the bug report.
Rocket.Chat App Vulnerabilities
Researchers from SonarSource have found at least two vulnerabilities in the Rocket.Chat app risking app security.
As explained, they detected NoSQL injection vulnerabilities that allowed an adversary to gain elevated privileges on a host server. This could further lead to taking over the entire server and execute arbitrary codes.
Whereas, to perform this critical attack, an attacker merely required a trivial thing – a user’s email address.
Briefly, to exploit the bugs, an attacker would need an email address with 2FA disabled. Then, the attacker would execute the attack in two ways exploiting two different bugs.
In the first approach, due to Blind NoSQL Injection leaking password reset token (Rocket.Chat Security Issue 0025), the attacker would take over the account following a password reset. While this would not give any elevated privileges (unless the email address belongs to an admin account), it would at least give the attacker access to the app features. Plus, it won’t require an authenticated account to exploit the bug.
However, since it was a noisy approach, the attacker could also exploit another vulnerability (Rocket.Chat Security Issue 0026). However, this one was a trickier approach requiring authentication. Yet, it had more impact. This would allow taking over an admin account and gain RCE privileges.
Technical details about the bugs are available in the researchers’ post.
Recommended Mitigations
As possible mitigations to avoid the first flaw, SonarSource recommended applying validation at all locations handling JSON user input.
Whereas, the second type of vulnerability requires stricter validation with limited usage of operators and applying allowlists instead of blocklists.
Though, when the researchers found the bugs in Rocket.Chat app version 3.12.1, they reported them to the vendors via HackerOne.
Consequently, the vendors patched the flaws and deployed fixes with the release of app versions 3.13.2, 3.12.4, 3.11.4.
Thus, the bugs no more remain a threat. Yet, users must ensure updating their systems at the earliest to avoid any mishap.