CasaOS Open Source cloud software critical vulnerabilities

published: Oct. 17, 2023

Take action: If you are using CasaOS in your home cloud environment, the patch is very much worth the effort. Because the neighbours (or remote criminals) may end up owning your home cloud platform.

Learn More

Researchers have reoirted two significant security weaknesses in the open source CasaOS personal cloud software.

Both of these security flaws are tracked under CVE-2023-37265 and CVE-2023-37266 (CVSS score 9.8).

  • CVE-2023-37265 involves an error in pinpointing the original IP address. This flaw permits unauthorized users to run any command they desire as the root user on CasaOS systems.
  • CVE-2023-37265 allows unauthorized individuals to create any JSON Web Tokens (JWTs). With these tokens, they can access functionalities typically protected by authentication and again execute any command as the root user on CasaOS platforms.

When exploited successfully, these vulnerabilities can enable attackers to override security measures and obtain admin rights on the CasaOS software.

The weaknesses can let attackers bypass security authentication, thereby gaining unrestricted access to the CasaOS user interface. Furthermore, the software's ability to integrate third-party applications can be exploited by attackers. By running specific commands, they can not only achieve prolonged access to the targeted device but also potentially infiltrate associated internal systems.

The software's development team, IceWhale, promptly released a corrective version 0.4.4 on July 14, 2023.

CasaOS Open Source cloud software critical vulnerabilities