Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code injection vulnerability on /system/log endpoint #132

Closed
pondzikk opened this issue Apr 14, 2024 · 9 comments
Closed

Code injection vulnerability on /system/log endpoint #132

pondzikk opened this issue Apr 14, 2024 · 9 comments

Comments

@pondzikk
Copy link

URL GET parameter {logtime} utilized within the downloadlog function from /cbpi/controller/system_controller.py is subsequently passed to the os.system function in /cbpi/http_endpoints/http_system.py without prior validation allowing to execute arbitrary code.

Vulnerability exists from 4.0.0.58 version (563fae9 commit)
@avollkopf
Copy link
Member

Unfortunately, I am not an expert nor a professional programmer. I need to look into it and read more details on the topic. Are you referring to changes documented here? Or even better, do you have a proposal on how to fix it with a PR?

Anyhow, it'll take some time.

@pondzikk
Copy link
Author

Yes, mentioned mitigations should fix this issue, if i find any free time soon i will test mitigation and make PR.

@avollkopf
Copy link
Member

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

avollkopf added a commit that referenced this issue Apr 15, 2024
@avollkopf
add check for logtime parameter in http_system endpoint as first test…
57572c7 
… to address issue #132
@avollkopf
Copy link
Member

avollkopf commented Apr 15, 2024
edited

@pondzikk please check if quick solution (57572c7) would work as start. Only integer values and a 'b' are now forwarded to the system controller.

@pondzikk
Copy link
Author

pondzikk commented Apr 15, 2024
edited

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

Yup, it should work.

I haven't checked fixed version in action, but after reading changes in commit i think it would mitigate this issue.

@CERT-PL-CNA
Copy link

@avollkopf
we have been requested to assign a CVE for that vulnerability.
We have reserved CVE-2024-3955 and we will soon publish its details.
If you want to consult its content please contact us at our email address.

Best regards
CERT.PL CNA

@avollkopf
Copy link
Member

avollkopf commented May 2, 2024
edited

Added test branch that is using systemd-python package instead of os.system to read from journal. Tests started, but reading from log is working already and issue should be solved with the usage of the additional package

@CERT-PL-CNA
Copy link

The vulnerability was described and published at the following addresses:
https://www.cve.org/CVERecord?id=CVE-2024-3955
https://cert.pl/en/posts/2024/05/CVE-2024-3955/

Best regards
CERT.PL CNA

@avollkopf avollkopf mentioned this issue May 2, 2024
Merged
avollkopf added a commit that referenced this issue May 2, 2024
@avollkopf
Merge pull request #134 from PiBrewing/python-systemd_test
fe15b4c 
Fix for issue #132 (CVE-2024-3955)
@avollkopf
Copy link
Member

Closed with aforementioned PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@avollkopf @pondzikk @CERT-PL-CNA