Mastodon, one of the popular decentralized social networking platform, has revealed a critical vulnerability that could potentially allow attackers to take control of servers. The announcement came last week when Mastodon released patches for five vulnerabilities in its open source software, including two classified as 'critical'.
The most severe vulnerability is identified as CVE-2023-36460, which has a CVSS score of 9.9. This flaw involves an arbitrary file creation issue that could result in a complete compromise of the server. Attackers can exploit this vulnerability by utilizing specially crafted media files to trick Mastodon's media processing code into creating arbitrary files at any location. This can lead to denial-of-service attacks and arbitrary remote code execution.
Security researcher Kevin Beaumont has named this critical vulnerability "TootRoot" as it enables attackers to achieve a webshell on the affected Mastodon instance by sending a toot, which is a short-form status message. Exploiting this vulnerability could provide attackers with root access to Mastodon servers.
The second critical vulnerability, tracked as CVE-2023-36459, is described as a cross-site scripting (XSS) issue. Attackers can bypass HTML sanitization by using carefully crafted oEmbed data, introducing the risk of executing cross-site scripting payloads when users click on a preview card for a malicious link.
Mastodon addressed these vulnerabilities, along with three others, by releasing versions 4.1.3, 4.0.5, and 3.5.9. All administrators are strongly advised to update their Mastodon instances promptly.
Security researcher Kevin Beaumont warns that a significant number of instances have yet to apply the patches, increasing the likelihood of real-world exploitation. Exploiting the vulnerability is as simple as sending a single toot, making widespread exploitation across numerous instances a serious concern.
Martin Jartelius, CSO at cybersecurity risk management platform provider Outpost24, shared his insights on the vulnerability and how orgs can avoid seeing similar vulnerabilities: “The type of vulnerabilities seen here should not make it into production, especially the LDAP and arbitrary file writes, but the fact they are detected and reported shows responsibility and transparency, which is not the case with more closed applications and organizations.
Over the years pretty much all platform have been found to have vulnerabilities, just recognize that tomorrow is Patch Tuesday when we are bound to see another pile of patches for commercial solutions that has been subject to substantial security investments and countless audits, yet new vulnerabilities are consistently reported.
As more users mass to a platform, more security researchers and attackers take an active interest and the more risks will be uncovered. What we have seen so far indicate that this will be treated well, which is good, and what we see is no reason to shy away. Any technology, regardless of creator, should be monitored, maintained and configured properly, which includes a defense in depth for the deployment.”