Apereo CAS actuator

Apereo CAS

During a mission, a DSecBypass pentester was confronted with the Java Apereo CAS software. It was possible to bypass software-managed SSO authentication by exploiting a Spring Boot Actuator configuration flaw.

Enterprise SSO – CAS provides a friendly open source community that actively supports and contributes to the project. Although the project is rooted in higher education open source, it has grown to reach an international audience spanning Fortune 500 companies and small special-purpose facilities.(https://www.apereo.org/projects/cas)

The code can be found on the project’s GitHub: https://github.com/apereo/cas.

It is an effectively active project, strongly represented in higher education establishments in France and internationally.

Spring Boot Actuator

Applications developed with the Java Spring MVC framework expose on their HTTP/HTTPS services an endpoint called actuator (Spring Boot Actuator). As the Spring documentation mentions, Actuator allows to monitor the health of the different services of the application and will expose all services by default. The developer has several possibilities to restrict access to these features:

  • Include Spring Security in your project to secure Actuator endpoints with Basic HTTP authentication
  • Setting up Spring so as to expose only a well-chosen list of functionalities
  • Block access to actuator features using front-end equipment (reverse proxy, application firewall)

Attacks on Actuator

One of the fundamental principles of computer security is to limit the attack surface. In particular, for web applications in production, it is strongly recommended to disable or restrict access to unnecessary features for the end user.

Actuator is one of those features that are not needed by the end user and should not be accessible. Indeed, some features are a direct threat to the security of the application:

  • heapdump – dumps the contents of the process memory (heap)
  • env – displays the value of application variables

The usual attack techniques are already covered in this article : https://www.veracode.com/blog/research/exploiting-spring-boot-actuators.

Exploiting a vulnerable Apereo CAS server

Apereo CAS is no exception and can also expose actuator endpoints by accessing the path “https://VULNERABLE_CAS/cas/actuator”. A description of the available endpoints can be found in the following file : https://github.com/apereo/cas/blob/master/docs/cas-server-documentation-processor/src/main/resources/actuators.properties

Although not common, some misconfigured CAS expose the actuator with the env or heapdump endpoints.

In the case of env, simply reading the returned values will sometimes yield database accounts, internal IPs and URLs, and other potentially sensitive parameters.

If heapdump is accessible, then CAS credentials can be retrieved from process memory using the following Linux command:

curl -s https://VULNERABLE_CAS/cas/actuator/heapdump | strings | grep -oE “username=(.*)&execution”

Be careful to perform these actions on applications that belong to you or for which you have received authorization to operate an intrusion test.

 

Securing Apereo CAS

Configuring Actuator endpoints is covered in the official documentation: https://apereo.github.io/cas/6.0.x/monitoring/Monitoring-Statistics.html.

It is mentionned that only info, status, health and configurationMetadata endpoints are exposed by default. You should therefore ensure that this is also the case in your application. In order to reduce the attack surface of Apereo CAS, it is also advisable not to expose the actuator URL (/cas/actuator/*) on the Internet and to configure the authentication to access it with the following parameter:

cas.monitor.endpoints.endpoint.status.access=AUTHENTICATED

🛡️ DSecBypass supports you in securing you applications during website pentests or external pentests, with quality services and significant experience in this type of service. Do not hesitate to contact us for additional information and/or a personalized quote 📝.