====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN459
_____________________________________________________________________

DATE                : 19/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Solr versions prior to
                                           8.6.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/lucene-general/202008.mbox/%3cCABEwPvHxq6tfXRn+nKO7FXdwTmkV7wK9FitQf6QMCRbO6dLjbw@mail.gmail.com%3e
_____________________________________________________________________

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public),
released in Solr version 8.6.0.

The Replication handler (
https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler)
allows commands backup, restore and deleteBackup. Each of these take a
location parameter, which was not validated, i.e you could read/write to
any location the solr user can access.

On a windows system SMB paths such as \\10.0.0.99\share\folder may also
be used, leading to:
* The possibility of restoring another SolrCore from a server on the
network (or mounted remote file system) may lead to:
** Exposing search index data that the attacker should otherwise not
have access to
** Replacing the index data entirely by loading it from a remote file
system that the attacker controls

* Launching SMB attacks which may result in:
** The exfiltration of sensitive data such as OS user hashes (NTLM/LM
hashes),
** In case of misconfigured systems, SMB Relay Attacks which can lead to
user impersonation on SMB Shares or, in a worse-case scenario, Remote
Code Execution

The solution implemented to address these issues was to:
* Restrict the location parameter to trusted paths
* Prevent remote connection when using Windows UNC Paths

~ David Smiley
Apache Lucene/Solr Search Developer
http://www.linkedin.com/in/davidwsmiley

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================