SQL Injection In Heimdall Gateway - Heimdall/Getheimdall: CVE-2021-34826 / CX-2021-4798

Severity

Severity: 9.8 - Critical Severity

Advisory Timeline Summary
The Heimdall Gateway application is vulnerable to SQL Injection in its API routing mechanism, allowing unauthenticated attackers to inject SQL statements via the API's URL when downgrading the HTTP protocol.

Product

  • getheimdall/heimdall <= 2.17.0

Impact

An attacker will be able to tamper SQL syntax, allowing them to compromise all data in the Postgres database, as well as execute SQL code.

Steps To Reproduce

  1. Get an instance of Heimdall running as per documentation, or via docker-compose
  2. Add any API to the orchestrator; this is part of basic Heimdall functionality
  3. Locate an API endpoint on the Heimdall Gateway - for example, the following samples will assume “user” is an endpoint orchestrated by Heimdall
  4. Note that for the exploit to work, HTTP/1.0 must be used with HTTP/1.1, with an empty host header
  5. Use the following command to induce sleep and demonstrate a SQL command is executed: curl -v -i --http1.0 -H ‘Host:’ “http://heimdall_instance/v2/user/’;SELECT(pg_sleep(10));–a”

Remediation

  • This software is obsolete and no longer maintained; it should be retired.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Checkmarx Security Research Team Leader Dor Tumarkin (@dortumarkin).

Resources

  1. Heimdall Git - archived