Jump to content
  • Sky
  • Blueberry
  • Slate
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Orange
  • Banana
  • Apple
  • Emerald
  • Chocolate
  • Charcoal
asie

Regarding CVE-2023-37261 (OC 1.8.3 released)

Recommended Posts

A security and bugfix release of OpenComputers, version 1.8.3, has been released for Minecraft 1.7.10 and 1.12.2.

It should be available on major mod distribution platforms within about an hour (this post will be updated accordingly):

This version contains a proper fix for CVE-2023-37261: SSRF to cloud (f.e. AWS, GCP, Azure) service metadata services (IMDS) and local IPv6 addresses not blocked by default, as well as enhancements to the Internet Card's connection filtering system. As such, upgrading to this version is considered essential in particular for server administrators.

Special thanks to Jonathan Leitschuh for bringing this issue to our attention.

A detailed write-up about the vulnerability can be found at this link - what follows is a simplified explanation.

The vulnerability concerns omissions in OpenComputers's packet filtering rules, in particular:

  • The list of "local" IPv4 addresses blocked in OpenComputers by default was incomplete, and did not cover many regions which do not belong to the public Internet, including typical metadata addresses used by cloud services.
  • OpenComputers's Internet Card featured no IPv6 address filtering mechanism whatsoever.

These two omissions allow an attacker to make HTTP and TCP requests on the server's local network (be it through the non-blocked IPv4 addresses or through IPv6 addresses) using a Computer with an Internet Card. Depending on the hosting provider used, other services available on the private network, and any potential other vulnerabilities, this can be used as a launching point for retrieving sensitive exploitation or probing

This issue affects every version of OpenComputers with an Internet Card. This includes versions for Minecraft 1.6.x, 1.8.9, 1.10.2 and 1.11.2, for which we cannot currently release satisfactory updated versions due to tooling limitations and time constraints.

The best solution is to update the mod to OpenComputers 1.8.3, if possible in your situation (you control the modpack and are on a supported Minecraft version). Users of the "GregTech: New Horizons" modpack will receive an update separately and are advised to follow the modpack's announcements. Other than that, here is a list of alternative mitigations that do not require an update:

  • (If you're using OpenComputers 1.2.x, please update. That version has many more long-patched holes.)
  • Using the allow list ("internet.whitelist") to explicitly list allowed domains and IPs.
  • Disabling the Internet Card completely.
  • Adding the following entries to the block list ("internet.blacklist" option) - Note that "224.0.0.0/3" has a side effect of blocking all IPv6 accesses, due to the way IPv6 address handling is implemented in OpenComputers >= 1.3.0, <= 1.8.2:
      "100.64.0.0/10",
      "169.254.0.0/16",
      "192.0.0.0/24",
      "192.0.2.0/24",
      "198.18.0.0/15",
      "198.51.100.0/24",
      "203.0.113.0/24",
      "224.0.0.0/3"

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.