Summary
FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note.
Details
FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server.
An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.
Leading to unbounded recursion until the original request is timed out.
[Detailed exploitation methodology is withheld]
Remediation
Upgrade to Misskey v2024.11.0 or later.
OR
Configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
Instances with external media proxy configured are also affected by this vulnerability. If you have an external media proxy, you should confirm both the internal AND external proxy are not vulnerable.
Impact
An unsophisticated attack (single IP, single instance) can lead to excessive CPU and gigabytes of memory usage and noticeable performance degradation while staying below the rate-limiting threshold.
A (currently unproven but realistic) well-orchestrated attack can lead to widespread outages across multiple instances.
eternal-flame-AD Reporter
Summary
FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note.
Details
FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server.
An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.
Leading to unbounded recursion until the original request is timed out.
[Detailed exploitation methodology is withheld]
Remediation
Upgrade to Misskey v2024.11.0 or later.
OR
Configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
Instances with external media proxy configured are also affected by this vulnerability. If you have an external media proxy, you should confirm both the internal AND external proxy are not vulnerable.
Impact
An unsophisticated attack (single IP, single instance) can lead to excessive CPU and gigabytes of memory usage and noticeable performance degradation while staying below the rate-limiting threshold.
A (currently unproven but realistic) well-orchestrated attack can lead to widespread outages across multiple instances.