CVE-2019-11076

Vulnerability

Cribl UI version 1.5.0 contains an authentication bypass vulnerability due to a weak or predictable JWT encryption key. An attacker can forge a valid session token for any username with an extended expiry [1]. This token can be used to access authenticated endpoints, including the /api/v1/system/scripts API, which allows creating and executing arbitrary commands on the server. The vulnerability is present in the web interface exposed on port 9000 by default.

Exploitation

An attacker with network access to the Cribl UI (port 9000) can exploit this without any prior authentication. The attacker first obtains or forges a valid JWT token (e.g., using the known encryption key) and sets it as the cribl_auth cookie. Then, using a crafted HTTP request to /api/v1/system/scripts, the attacker creates a script with an arbitrary command (e.g., wget to download a malicious payload). Subsequently, a request to /api/v1/system/scripts//run executes the script. The PoC demonstrates downloading a NodeJS reverse shell and executing it, requiring the Cribl server to have outbound network access to the attacker's host [1].

Impact

Successful exploitation results in remote code execution as the user running the Cribl process (often root in Docker deployments). The attacker gains full control over the Cribl instance, including the ability to read, modify, or exfiltrate data processed by Cribl, and potentially pivot to other systems in the network.

Mitigation

Cribl has addressed this vulnerability in a later release. Users should upgrade to a version beyond 1.5.0. If upgrading is not immediately possible, restrict network access to the Cribl UI to trusted hosts only and monitor for unauthorized script creation or execution. The vulnerability is publicly documented with a PoC [1], so immediate action is recommended.