craftbeerpi4 icon indicating copy to clipboard operation
craftbeerpi4 copied to clipboard

Published 20 hours ago verified publisher icon avollkopf

Code injection vulnerability on /system/log endpoint

Open pondzikk opened this issue 10 months ago • 6 comments

URL GET parameter {logtime} utilized within the downloadlog function from /cbpi/controller/system_controller.py is subsequently passed to the os.system function in /cbpi/http_endpoints/http_system.py without prior validation allowing to execute arbitrary code.

Vulnerability exists from 4.0.0.58 version (563fae9 commit)

pondzikk avatar Apr 14 '24 17:04 pondzikk

Unfortunately, I am not an expert nor a professional programmer. I need to look into it and read more details on the topic. Are you referring to changes documented here? Or even better, do you have a proposal on how to fix it with a PR?

Anyhow, it'll take some time.

avollkopf avatar Apr 15 '24 05:04 avollkopf

Yes, mentioned mitigations should fix this issue, if i find any free time soon i will test mitigation and make PR.

pondzikk avatar Apr 15 '24 12:04 pondzikk

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

avollkopf avatar Apr 15 '24 14:04 avollkopf

@pondzikk please check if quick solution (https://github.com/PiBrewing/craftbeerpi4/commit/57572c777eec1846273f9418e1029568194ecf07) would work as start. Only integer values and a 'b' are now forwarded to the system controller.

avollkopf avatar Apr 15 '24 17:04 avollkopf

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

Yup, it should work.

I haven't checked fixed version in action, but after reading changes in commit i think it would mitigate this issue.

pondzikk avatar Apr 15 '24 22:04 pondzikk

@avollkopf we have been requested to assign a CVE for that vulnerability. We have reserved CVE-2024-3955 and we will soon publish its details. If you want to consult its content please contact us at our email address.

Best regards CERT.PL CNA

CERT-PL-CNA avatar Apr 18 '24 15:04 CERT-PL-CNA

Added test branch that is using systemd-python package instead of os.system to read from journal. Tests started, but reading from log is working already and issue should be solved with the usage of the additional package

avollkopf avatar May 02 '24 05:05 avollkopf

The vulnerability was described and published at the following addresses: https://www.cve.org/CVERecord?id=CVE-2024-3955 https://cert.pl/en/posts/2024/05/CVE-2024-3955/

Best regards CERT.PL CNA

CERT-PL-CNA avatar May 02 '24 09:05 CERT-PL-CNA

Closed with aforementioned PR

avollkopf avatar May 02 '24 11:05 avollkopf