Horizon Alert
Summary of the vulnerability and why it matters
A critical vulnerability exists in AdGuard Home, affecting its authentication mechanism when started with a specific flag. This flaw could allow unauthorized individuals to gain full administrative control of the system by manipulating a cookie. The main concern is confirming if this specific configuration is in use and if it is exposed to potential attackers.
- Authentication bypass allows admin access.
- Critical issue if exposed and misconfigured.
- Confirm usage and exposure of this feature.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the AdGuard Home service. By manipulating the `Admin-Token` cookie with a path traversal sequence, the attacker can trick the service into reading an arbitrary file, ultimately bypassing authentication and gaining full administrative access.
- No authentication required.
- Path traversal in `Admin-Token` cookie.
- Full administrative access granted.
Live Threat
Current exploitation, exposure, and threat context
When AdGuard Home is started with the `--glinet` flag, an unauthenticated attacker could bypass authentication to gain full administrative access. This is possible by supplying a path traversal sequence within the `Admin-Token` cookie, which can redirect file reads to arbitrary paths due to unsanitized string concatenation.
- Admin access to the service.
- Path traversal in `Admin-Token` cookie.
- Unauthorized administrative control.
Operational Fix
Recommended remediation, mitigation, and detection steps
The critical authentication bypass in AdGuard Home, particularly when using the `--glinet` flag, requires immediate attention from teams managing the AdGuard Home instances. The first practical step is to identify all deployments, confirm their accessibility, and determine business criticality to prioritize remediation efforts. Since AdGuard Home is often deployed internally, platform or infrastructure teams are likely responsible, with support from security teams for exposure assessment and vendor-management if a managed service is involved.
- Identify AdGuard Home instances and their owners.
- Verify external reachability and business criticality.
- Plan remediation based on identified risk.