Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1obWd3LTlqcmctaGYybc4AA2kX

Directus crashes on invalid WebSocket message

Summary

It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix (if only I had some extra time...), but I decided to instead post as a vulnerability just for the maintainers, since this seemingly can be used to crash any live Directus server if websockets are enabled, so public disclosure is not a good idea until the issue is fixed.

Details

The fix for this seems quite simple; the websocket server just needs to properly catch the error instead of crashing the server. See for example: https://github.com/websockets/ws/issues/2098

PoC

Start a fresh Directus server (using for example the compose file here: https://docs.directus.io/self-hosted/docker-guide.html). Enable websockets by setting WEBSOCKETS_ENABLED: 'true' environment variable.
run a separate node app somewhere else to send an invalid frame to the server:

const WebSocket = require("ws");
const websocket = new WebSocket("ws://0.0.0.0:8055/websocket");
websocket.on("open", function () {
  const chunk = Buffer.from("a180", "hex");
  websocket._socket.write(chunk);
});

Impact

The server crashes with an error: RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear. Server needs to be manually restarted to get back online (if there's no recovery mechanism in place, as there often isn't with simple node servers). This was confirmed on a local server, and additionally I was able to crash our staging server with the same code, just pointing to our staging Directus server running at fly.io. It seems to also crash servers running in the directus.cloud service. I created https://websocket-test.directus.app/, pointed the above script to the websocket url of that instance and the server does crash for a while. It seems that in there there's a mechanism for bringing the server back up quite fast, but it would be quite trivial for anyone to DoS any server running in directus.cloud by just spamming these invalid frames to the server.

Permalink: https://github.com/advisories/GHSA-hmgw-9jrg-hf2m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1obWd3LTlqcmctaGYybc4AA2kX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 6 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-hmgw-9jrg-hf2m, CVE-2023-45820
References:

Repository: https://github.com/directus/directus
Blast Radius: 15.5

Affected Packages

npm:directus

Dependent packages: 16
Dependent repositories: 115
Downloads: 62,753 last month
Affected Version Ranges: >= 10.4.0, < 10.6.2
Fixed in: 10.6.2
All affected versions: 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7