Headline
CVE-2023-25826: CyRC Vulnerability Advisory: CVE-2023-25826 and CVE-2023-25827 in OpenTSDB
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
Posted by on Tuesday, May 2, 2023
Synopsys Cybersecurity Research Center discovers new RCE vulnerability and cross-site scripting vulnerability in OpenTSDB.
Overview
The Synopsys Cybersecurity Research Center (CyRC) has discovered a remote command execution vulnerability (CVE-2023-25826), and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827) in OpenTSDB. OpenTSDB is a distributed time series database (TSDB) working over Apache HBase that is designed for managing, querying, and displaying time-based metrics at a large scale.
CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
CVE-2023-25827: Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.
Exploitation
CVE-2023-25826: When supplying requests to the legacy HTTP query API (the ‘/q’ endpoint), crafted system commands can be injected into the ‘key’, ‘style’, and ‘smooth’ parameters that will bypass validation measures. When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed.
CVE-2023-25827: Malicious URLs can be crafted and supplied to a victim, and they cause request errors for the legacy HTTP query API (the ‘/q’ endpoint) and the logging ‘/logs’ endpoint. Arbitrary JavaScript can be injected into the ‘start’, ‘end’, ‘m’, and ‘key’ parameters of ‘/q’, and the ‘level’ parameter of ‘/logs’. If a victim accesses a crafted URL, included JavaScript will be reflected in the resulting error message and executed within their browser.
Affected software
- OpenTSDB releases 1.0.0 up to and including 2.4.1
Impact
Exploitation of CVE-2023-25826 can lead to the injection of arbitrary OS commands that will be executed by the host system within the privileges of the OpenTSDB application.
Exploitation of CVE-2023-25827 can lead to the execution of arbitrary JavaScript within the browser of a targeted user, allowing an attacker to steal sensitive information retained by their browser, such as configured authentication tokens or session cookies.
CVE-2023-25826
- CVSS base score: 9.8 (Critical)
- CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVE-2023-25827
- CVSS base score: 8.2 (High)
- CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C
Remediation
Fixed in the following commits:
- https://github.com/OpenTSDB/opentsdb/pull/2274
- https://github.com/OpenTSDB/opentsdb/pull/2275
Discovery credit
These vulnerabilities were discovered by CyRC researcher Jamie Harris.
Timeline
January 27, 2023: Initial disclosure and confirmation
February 21, 2023: First follow-up
March 8, 2023: Second follow-up
March 29, 2023: Final follow-up
April 11, 2023: OpenTSDB provides fixes
April 12, 2023: Synopsys confirms fixes
May 03, 2023: CVEs published
References
http://opentsdb.net/
https://github.com/OpenTSDB/opentsdb
https://github.com/OpenTSDB/opentsdb/pull/2274
https://github.com/OpenTSDB/opentsdb/pull/2275
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Related news
This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.
This Metasploit module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)