Block access to CRX package manager through publish dispatcher #104
Description
Describe the bug
It has been identified that there is a bug in Adobe AEM which allows attackers to bypass authentication and gain access to CRX Package Manager through dispatcher. Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations. With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to a Remote Control Execution (RCE) and gain full control of the application. AEM Opencloud has already blocked such endpoints previously.
To Reproduce
Steps to reproduce the behavior:
- Create a fullset environment using aem-opencloud v5.2.0
- After switch dns, access the below endpoint
- http://<dispatcher_end_point>/content/..;/crx/packmgr/service.jsp
Expected behavior
This endpoint should be blocked through publish dispatcher endpoint and redirect/take them to default site error page.
Screenshots
Environment (please complete the following information if relevant):
- Full Set using aem-opencloud v5.2.0
Additional context
This vulnerability can be remediated by blocking public access to the CRX console (blocking all access to endpoints: /content/..;/crx/*) in the dispatcher rules.
Also ensure this path is included in inspec-aem-security, so that it verifies the path is added to blocked list.