Two critical security vulnerabilities have been discovered in the open-source personal cloud software CasaOS   . These vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266      , have a high CVSS score of 9.8 out of 10   . They could potentially allow attackers to execute arbitrary code and take control of vulnerable systems   .
Sonar security researcher Thomas Chauchefoin found these vulnerabilities in CasaOS. The first flaw enables attackers to bypass authentication requirements and gain full access to the CasaOS control panel . The second flaw allows attackers to exploit CasaOS’s support for third-party applications, enabling them to execute arbitrary commands and gain persistent access to devices or internal networks     .
The vulnerabilities were addressed in version 0.4.4 of CasaOS     , which was released on July 14, 2023    . One vulnerability involves incorrect identification of the source IP address , allowing unauthenticated attackers to execute arbitrary commands as root . The other vulnerability allows unauthenticated attackers to create arbitrary JSON web tokens (JWT) and access authenticated functions , also enabling them to execute arbitrary commands as root .
Exploiting these vulnerabilities could grant attackers administrative privileges in vulnerable instances of CasaOS   . It is important to note that relying on identifying IP addresses at the application layer for security decisions is risky  .
These critical vulnerabilities in CasaOS pose a significant threat to the security of personal cloud systems. However, the release of version 0.4.4 has addressed these vulnerabilities, providing users with a solution to mitigate the risks. Moving forward, it is crucial for users to promptly update their CasaOS software to the latest version to ensure the security of their systems. Additionally, this incident highlights the importance of implementing robust authentication mechanisms and regularly updating software to protect against potential security breaches.