Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25826: CyRC Vulnerability Advisory: CVE-2023-25826 and CVE-2023-25827 in OpenTSDB

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

CVE
#xss#vulnerability#apache#git#java#rce#auth

Posted by on Tuesday, May 2, 2023

Synopsys Cybersecurity Research Center discovers new RCE vulnerability and cross-site scripting vulnerability in OpenTSDB.

Overview

The Synopsys Cybersecurity Research Center (CyRC) has discovered a remote command execution vulnerability (CVE-2023-25826), and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827) in OpenTSDB. OpenTSDB is a distributed time series database (TSDB) working over Apache HBase that is designed for managing, querying, and displaying time-based metrics at a large scale.

CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

CVE-2023-25827: Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

Exploitation

CVE-2023-25826: When supplying requests to the legacy HTTP query API (the ‘/q’ endpoint), crafted system commands can be injected into the ‘key’, ‘style’, and ‘smooth’ parameters that will bypass validation measures. When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed.

CVE-2023-25827: Malicious URLs can be crafted and supplied to a victim, and they cause request errors for the legacy HTTP query API (the ‘/q’ endpoint) and the logging ‘/logs’ endpoint. Arbitrary JavaScript can be injected into the ‘start’, ‘end’, ‘m’, and ‘key’ parameters of ‘/q’, and the ‘level’ parameter of ‘/logs’. If a victim accesses a crafted URL, included JavaScript will be reflected in the resulting error message and executed within their browser.

Affected software

  • OpenTSDB releases 1.0.0 up to and including 2.4.1

Impact

Exploitation of CVE-2023-25826 can lead to the injection of arbitrary OS commands that will be executed by the host system within the privileges of the OpenTSDB application.

Exploitation of CVE-2023-25827 can lead to the execution of arbitrary JavaScript within the browser of a targeted user, allowing an attacker to steal sensitive information retained by their browser, such as configured authentication tokens or session cookies.

CVE-2023-25826

  • CVSS base score: 9.8 (Critical)
  • CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2023-25827

  • CVSS base score: 8.2 (High)
  • CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C

Remediation

Fixed in the following commits:

  • https://github.com/OpenTSDB/opentsdb/pull/2274
  • https://github.com/OpenTSDB/opentsdb/pull/2275

Discovery credit

These vulnerabilities were discovered by CyRC researcher Jamie Harris.

Timeline

January 27, 2023: Initial disclosure and confirmation

February 21, 2023: First follow-up

March 8, 2023: Second follow-up

March 29, 2023: Final follow-up

April 11, 2023: OpenTSDB provides fixes

April 12, 2023: Synopsys confirms fixes

May 03, 2023: CVEs published

References

http://opentsdb.net/

https://github.com/OpenTSDB/opentsdb

https://github.com/OpenTSDB/opentsdb/pull/2274

https://github.com/OpenTSDB/opentsdb/pull/2275

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Related news

OpenTSDB 2.4.1 Unauthenticated Command Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.

GHSA-h475-7v3c-26q7: Command injection in OpenTSDB

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

GHSA-9chv-3w6c-jq9w: Cross Site Scripting in OpenTSDB

Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

OpenTSDB 2.4.0 Command Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.

CVE-2020-35476: OpenTSDB 2.4.0 Remote Code Execution · Issue #2051 · OpenTSDB/opentsdb

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907