MAAS

local priviledge escalation: users can self-promote to admin

Bug #2115714 reported by Jacopo Rota on 2025-07-01

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MAAS	Fix Released	High	Jacopo Rota	MAAS 3.7.0-beta1
3.3	Fix Released	High	Jacopo Rota	MAAS 3.3.11
3.4	Fix Released	High	Jacopo Rota	MAAS 3.4.9
3.5	Fix Released	High	Jacopo Rota
3.6	Fix Released	High	Jacopo Rota	MAAS 3.6.2

Bug Description

Describe the bug:

Users can self-promote to admin by patching a request to the users websocket handler and change the `is_superuser` property. By intercepting the request - such as during a password change or profile update - an attacker can manually change the is_superuser value from false to true.

Steps to reproduce:

Intercept the user.update and change the `is_superuser` property to True. After that the user has full admin power.

Expected behavior (what should have happened?):

Server error

Actual behavior (what actually happened?):

The user becomes admin

MAAS version and installation type (deb, snap):

Any

MAAS setup (HA, single node, multiple regions/racks):

Any

Host OS distro and version:

Any

Additional context:

See original description

CVE References

2025-7044

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-07-01:

3.7 is fixed because the UI migrated to the v3 api and they are not vulnerable to this exploit.

Changed in maas:
milestone:	none → 3.7.0
status:	Triaged → Fix Committed
assignee:	nobody → Jacopo Rota (r00ta)

Jacopo Rota (r00ta) on 2025-07-01

description:

updated

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-07-01:

2115714.patch Edit (2.3 KiB, text/plain)

Revision history for this message

Nick Galanis (nickgalanis) wrote on 2025-07-03:

Thanks Jacopo, please use CVE-2025-7044 for this issue. I will come back with the evaluation from the SecEng team.

Alexsander Silva de Souza (alexsander-souza) on 2025-07-03

Changed in maas:
milestone:	3.7.0 → 3.7.0-beta1

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-07-08:

Hi @nick, any news?

Revision history for this message

Nick Galanis (nickgalanis) wrote on 2025-07-10:

Hey Jacopo, sorry for the delay. The score we are giving this CVE is CVSS3 High (7.7). You can see the break down here: https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Revision history for this message

Nick Galanis (nickgalanis) wrote on 2025-07-10:

Let me know if you have any doubts about that, otherwise I can go ahead and prepare the CVE entry for you, having it ready for when you are ready to publish the issue.

Alexsander Silva de Souza (alexsander-souza) on 2025-07-28

Changed in maas:
status:	Fix Committed → Fix Released

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-09-11:

We are going to apply the patch in ~1 month for the 3.6.3 and 3.5.9 releases that must be released at the same time. SEG will take care of backporting the patch to 3.3 and 3.4 and release them accordingly at the same time

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-09-18:

the commit message is gonna be: "fix: Improve users websocket handler error message"

Revision history for this message

Jacopo Rota (r00ta) wrote on 2025-12-01:

released in 3.5.9

Revision history for this message

Nick Galanis (nickgalanis) wrote on 2025-12-04:

#10

CVE-2025-7044 is now published, thus this bug will be public as well.

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

2115714.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.