[2025.12.01 and earlier] Command injection via FileBrowser API

[julianallenderussek]

Bug description

A command injection vulnerability in the FileBrowser List Files API allowed attackers to execute arbitrary commands on the cluster manager by injecting shell meta-characters into unsanitized file path parameters.

Affected versions

2025.12.01 and earlier

Mitigation

Following any of the two strategies mentioned below also mitigates the following known issues:

• Preventing Command Injection via Session Name
• Privilege Escalation via Instance Profile Injection

Option 1 (Recommended):

Upgrade RES environment to 2026.03 version or newer.

Option 2: Apply patch to current RES environment

For RES versions 2025.12.01 and 2025.12

1. Create a S3 bucket with ACLs disabled.
2. Download the following files

patch_host.py
idea-cluster-manager-<RES-VERSION>-<COMMIT_ID>.tar.gz
idea-virtual-desktop-controller-<RES-VERSION>-<COMMIT_ID>.tar.gz

by replacing <output-directory> with the directory to download the patch script, <environment-name> with the name of your RES environment, <bucket-name> with the name of a ACLs disabled S3 bucket under the account/region where RES is deployed and RES_VERSION with 2025.12.01 or 2025.12 in the command below:

1. The patch applies to 2025.12.01 and 2025.12
2. The patch script requires AWS CLI v2, Python 3.9.16 or above, and Boto3.
3. Configure the AWS CLI for the account / region where RES is deployed, and make sure that you have S3 permissions to write to the bucket provided through <bucket-name>.

OUTPUT_DIRECTORY=<output-directory>
ENVIRONMENT_NAME=<environment-name>
RES_VERSION=<RES_VERSION>
BUCKET_NAME=<bucket-name>
COMMIT_ID=<commit-id> # Use 63b1350e for RES 2025.12.01 or 7260317c for RES 2025.12

mkdir -p ${OUTPUT_DIRECTORY}
curl https://research-engineering-studio-us-east-1.s3.us-east-1.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patch_host.py --output ${OUTPUT_DIRECTORY}/patch_host.py
curl https://research-engineering-studio-us-east-1.s3.us-east-1.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patches/idea-cluster-manager-${RES_VERSION}-${COMMIT_ID}.tar.gz --output ${OUTPUT_DIRECTORY}/idea-cluster-manager-${RES_VERSION}-${COMMIT_ID}.tar.gz
curl https://research-engineering-studio-us-east-1.s3.us-east-1.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patches/idea-virtual-desktop-controller-${RES_VERSION}-${COMMIT_ID}.tar.gz --output ${OUTPUT_DIRECTORY}/idea-virtual-desktop-controller-${RES_VERSION}-${COMMIT_ID}.tar.gz

1. Run the following patch commands:

python3 ${OUTPUT_DIRECTORY}/patch_host.py --environment-name ${ENVIRONMENT_NAME} --module cluster-manager --zip-file ${OUTPUT_DIRECTORY}/idea-cluster-manager-${RES_VERSION}-${COMMIT_ID}.tar.gz --s3-bucket ${BUCKET_NAME}
python3 ${OUTPUT_DIRECTORY}/patch_host.py --environment-name ${ENVIRONMENT_NAME} --module virtual-desktop-controller --zip-file ${OUTPUT_DIRECTORY}/idea-virtual-desktop-controller-${RES_VERSION}-${COMMIT_ID}.tar.gz --s3-bucket ${BUCKET_NAME}

2. Cycle both the Cluster Manager and Virtual Desktop Controller instances for your environment. You may also terminate the instance from the Amazon EC2 Management Console.

INSTANCE_ID=$(aws ec2 describe-instances \
            --filters \
            Name=tag:Name,Values=${ENVIRONMENT_NAME}-cluster-manager \
            Name=tag:res:EnvironmentName,Values=${ENVIRONMENT_NAME}\
            --query "Reservations[0].Instances[0].InstanceId" \
            --output text)

aws ec2 terminate-instances --instance-ids ${INSTANCE_ID}

INSTANCE_ID=$(aws ec2 describe-instances \
            --filters \
            Name=tag:Name,Values=${ENVIRONMENT_NAME}-vdc-controller \
            Name=tag:res:EnvironmentName,Values=${ENVIRONMENT_NAME}\
            --query "Reservations[0].Instances[0].InstanceId" \
            --output text)

aws ec2 terminate-instances --instance-ids ${INSTANCE_ID}

3. Verify the new Cluster Manager and Virtual Desktop Controller instances status by checking the activity of the auto scaling group starting with the name -cluster-manager-asg. Wait until the new instance is launched successfully.

For RES versions 2025.09, 2025.06.01 2025.06 and 2025.03

1. Download the following files

patch.py 
security_cluster_manager.patch  
security_vdc_controller.patch

by replacing with the directory to download the patch script and patch file and with the name of your RES environment in the command below:

OUTPUT_DIRECTORY=<output-directory>
ENVIRONMENT_NAME=<environment-name>
RES_VERSION=<res-version>
PARTITION=<partition> # e.g. aws (for Classic), aws-us-gov (for GovCloud)
ACCOUNT_ID=<account-id>

mkdir -p ${OUTPUT_DIRECTORY}
curl https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patch.py --output ${OUTPUT_DIRECTORY}/patch.py
curl https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patches/security_cluster_manager.patch --output ${OUTPUT_DIRECTORY}/security_cluster_manager.patch
curl https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patches/security_vdc_controller.patch --output ${OUTPUT_DIRECTORY}/security_vdc_controller.patch

2. Navigate to the directory where the patch script and patch file are downloaded. Run the following patch commands:

python3 ${OUTPUT_DIRECTORY}/patch.py --environment-name ${ENVIRONMENT_NAME} --res-version ${RES_VERSION} --module cluster-manager --patch ${OUTPUT_DIRECTORY}/security_cluster_manager.patch
python3 ${OUTPUT_DIRECTORY}/patch.py --environment-name ${ENVIRONMENT_NAME} --res-version ${RES_VERSION} --module virtual-desktop-controller --patch ${OUTPUT_DIRECTORY}/security_vdc_controller.patch

3. Restart the Cluster Manger and Virtual Desktop Controller instances for your environment. You may also terminate the instance from the Amazon EC2 Management Console.

INSTANCE_ID=$(aws ec2 describe-instances \
            --filters \
            Name=tag:Name,Values=${ENVIRONMENT_NAME}-cluster-manager \
            Name=tag:res:EnvironmentName,Values=${ENVIRONMENT_NAME}\
            --query "Reservations[0].Instances[0].InstanceId" \
            --output text)

aws ec2 terminate-instances --instance-ids ${INSTANCE_ID}

INSTANCE_ID=$(aws ec2 describe-instances \
            --filters \
            Name=tag:Name,Values=${ENVIRONMENT_NAME}-vdc-controller \
            Name=tag:res:EnvironmentName,Values=${ENVIRONMENT_NAME}\
            --query "Reservations[0].Instances[0].InstanceId" \
            --output text)

aws ec2 terminate-instances --instance-ids ${INSTANCE_ID}

4. Verify the new Cluster Manager and Virtual Desktop Controller instances status by checking the activity of the auto scaling group starting with the name -cluster-manager-asg. Wait until the new instance is launched successfully.