Code injection vulnerability on /system/log endpoint
pondzikk opened this issue · 9 comments
URL GET parameter {logtime} utilized within the downloadlog function from /cbpi/controller/system_controller.py is subsequently passed to the os.system function in /cbpi/http_endpoints/http_system.py without prior validation allowing to execute arbitrary code.
Vulnerability exists from 4.0.0.58 version (563fae9 commit)
Unfortunately, I am not an expert nor a professional programmer. I need to look into it and read more details on the topic. Are you referring to changes documented here? Or even better, do you have a proposal on how to fix it with a PR?
Anyhow, it'll take some time.
Yes, mentioned mitigations should fix this issue, if i find any free time soon i will test mitigation and make PR.
@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.
@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.
Yup, it should work.
I haven't checked fixed version in action, but after reading changes in commit i think it would mitigate this issue.
@avollkopf
we have been requested to assign a CVE for that vulnerability.
We have reserved CVE-2024-3955 and we will soon publish its details.
If you want to consult its content please contact us at our email address.
Best regards
CERT.PL CNA
Added test branch that is using systemd-python package instead of os.system to read from journal. Tests started, but reading from log is working already and issue should be solved with the usage of the additional package
The vulnerability was described and published at the following addresses:
https://www.cve.org/CVERecord?id=CVE-2024-3955
https://cert.pl/en/posts/2024/05/CVE-2024-3955/
Best regards
CERT.PL CNA
Closed with aforementioned PR