CVE-2024-24759: MindsDB SSRF Vulnerability via DNS Rebinding

CVE-2024-24759 Overview

CVE-2024-24759 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability in MindsDB, a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the entire application using DNS Rebinding techniques. This vulnerability can also lead to denial of service conditions, making it a dual-impact security issue.

Critical Impact

Attackers can bypass SSRF protections to access internal network resources and potentially cause denial of service, compromising the confidentiality of enterprise data and system availability.

Affected Products

• MindsDB versions prior to 23.12.4.2
• MindsDB AI platform deployments with network-accessible endpoints
• Enterprise environments using MindsDB for AI/ML data processing

Discovery Timeline

• 2024-09-05 - CVE-2024-24759 published to NVD
• 2024-09-06 - Last updated in NVD database

Technical Details for CVE-2024-24759

Vulnerability Analysis

This vulnerability exploits a weakness in MindsDB's SSRF protection mechanism (CWE-918). The existing security controls fail to account for DNS Rebinding attacks, where an attacker controls a DNS server that initially resolves to a safe IP address but then rebinds to an internal or restricted IP address after the validation check has passed.

The attack allows threat actors to circumvent URL validation and make requests to internal network resources that should be protected from external access. This can expose sensitive internal services, configuration data, and potentially enable further lateral movement within the network. Additionally, the vulnerability can be leveraged to cause denial of service conditions by directing requests to resource-intensive endpoints or triggering resource exhaustion.

Root Cause

The root cause lies in the implementation of SSRF protection that performs DNS resolution at validation time but does not prevent subsequent DNS rebinding. When a URL is submitted, MindsDB validates the resolved IP address against a blocklist. However, if the attacker controls the DNS server, they can return a safe IP during validation and then rebind to an internal IP (e.g., 127.0.0.1, 169.254.x.x, or internal network ranges) when the actual request is made.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Setting up a malicious DNS server that responds with a safe external IP initially
2. Configuring the DNS TTL to be very short (typically 0 or near-zero)
3. Submitting a URL pointing to the attacker-controlled domain to MindsDB
4. After MindsDB validates the URL, the DNS server rebinds to an internal IP address
5. MindsDB makes the actual request to the now-rebinded internal address, bypassing SSRF protections

The following patch was applied in version 23.12.4.2 to address this vulnerability:

 __title__ = 'MindsDB'
 __package_name__ = 'mindsdb'
-__version__ = '23.12.4.1'
+__version__ = '23.12.4.2'
 __description__ = "MindsDB server, provides server capabilities to mindsdb native python library"
 __email__ = "jorge@mindsdb.com"
 __author__ = 'MindsDB Inc'

Source: GitHub Commit

Detection Methods for CVE-2024-24759

Indicators of Compromise

• Unusual DNS queries with extremely low TTL values from MindsDB server instances
• Requests to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) originating from MindsDB processes
• Anomalous outbound connections from MindsDB to unexpected internal services
• Spike in failed or unusual API requests that could indicate exploitation attempts

Detection Strategies

• Monitor DNS query patterns from MindsDB instances for rapid re-resolution of the same domains
• Implement network-level monitoring to detect connections to internal IP ranges from externally-facing services
• Deploy application-layer logging to capture URL requests and their resolved destinations
• Use intrusion detection systems (IDS) rules to alert on DNS rebinding attack patterns

Monitoring Recommendations

• Enable verbose logging for all MindsDB HTTP client operations and review for suspicious patterns
• Monitor for sudden increases in outbound connection attempts from MindsDB deployments
• Track DNS resolution behavior using network flow analysis tools
• Establish baseline network behavior for MindsDB instances to identify anomalous activity

How to Mitigate CVE-2024-24759

Immediate Actions Required

• Upgrade MindsDB to version 23.12.4.2 or later immediately
• Review network logs for any signs of exploitation prior to patching
• Implement network segmentation to limit MindsDB's access to sensitive internal resources
• Consider temporarily restricting external network access to MindsDB instances until patching is complete

Patch Information

MindsDB has released version 23.12.4.2 which contains the security patch for this vulnerability. The fix addresses the DNS rebinding bypass by implementing additional validation controls. Organizations should update their MindsDB installations as soon as possible.

For detailed patch information, refer to the GitHub Security Advisory GHSA-4jcv-vp96-94xr and the GitHub Commit.

Workarounds

• Deploy a network-level firewall that blocks outbound connections from MindsDB to internal IP ranges
• Implement a DNS resolver that ignores DNS responses pointing to private IP ranges for external domain queries
• Use network segmentation to isolate MindsDB from sensitive internal services
• Consider deploying a forward proxy that re-validates DNS resolution at connection time

# Example: Block internal IP access at the network level (iptables)
# Prevent MindsDB from connecting to private IP ranges
iptables -A OUTPUT -m owner --uid-owner mindsdb -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner mindsdb -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner mindsdb -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner mindsdb -d 127.0.0.0/8 -j DROP