/
KASM-2024-0001 - Browser argument injection

KASM-2024-0001 - Browser argument injection

Owned by Matt Mcclaskey
Last updated: Oct 28, 2024 by LaTroy
2 min read

The Kasm Go URL is a URL provided to an end-user. The end-user navigates to this special URL from their local browser, the user’s local browser navigates to Kasm and starts a browser based session in Kasm and then automatically directs the Kasm browser to the destination URL that is embedded inside the URL provided to the user. The end result is that the user experiences a seamless browsing experience without having to log into Kasm, launch a browser based session, and then navigate to the target URL. The Go URL can also be integrated with an enterprise class forward proxy, so that user’s traffic is automatically directed to a Kasm browser based session without the user having to be aware of the Go URL, the user just navigates to any arbitrary URL, the enterprise forward proxy will redirect them to a Kasm Go URL with their originally requested URL encoded in the new Kasm URL.

In Kasm versions <= 1.15.0, there exists a vulnerability in handling of the encoded URL that is embedded in the Kasm URL. The URL input is not properly escaped, which allows an attacker to pass additional command line arguments to browser.

There are several caveats and/or important notes for this vulnerability:

  • The attacker must have the ability to send the user a specially crafted URL and the user must click on the link.

  • The user must have configured a default Kasm Workspace in their profile settings OR the administrator must have configured a default workspace at the group level. These are both non-default configurations that require end-user or administrator action.

  • There are a large number of arguments for browsers that open up a lot of attack vectors, therefore, the vulnerability should be mitigated and/or patched.

This vulnerability was reported by Elephantastic Software.

Mitigation

The vulnerability can be mitigated by ensuring that users do not have a default workspaces image set in their profile settings and that administrators remove the default_image setting from all groups' group settings.

Administrators can block the use of GO URLs by adding the following line to the end of /opt/kasm/current/conf/nginx/services.d/client_api.conf on all WebApp role servers.

location /api/get_default_images { return 200; } # KASM-2024-0001 workaround

After adding the above line to the end of the file, run the following command.

sudo docker exec -it kasm_proxy nginx -s reload

After performing these actions on all WebApp role servers, or the one server for single server deployments, users will not be able to use a Go URL.

Patch

Kasm Workspaces 1.15.0 rolling has been updated with the patch. The release notes for the rolling fix can be found here. When installing Kasm Workspaces on a server, you can instruct the installer to use rolling tagged service images using the --use-rolling-images option. For existing deployments you can follow this KB article. The workspace images, the kasm_api, and the kasm_manager need to be switched to the rolling image tags.

 

Related content