Cobalt RaQ4 Administrative Interface backup.cgi Command Execution (EXTINCTSPINACH)

critical Nessus Plugin ID 100387

Synopsis

A web application running on the remote host is affected by a command execution vulnerability.

Description

The Cobalt RaQ4 administrative interface running on the remote host is affected by a remote command execution vulnerability in the /cgi-bin/.cobalt/backup/backup.cgi script. An unauthenticated, remote attacker can exploit this to execute arbitrary commands.

EXTINCTSPINACH is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.

Note that Nessus has not attempted to exploit this issue but has instead only confirmed the presence of the backup.cgi script.

Solution

Contact the vendor for a patch.

See Also

http://www.nessus.org/u?9b84a0bd

https://github.com/x0rz/EQGRP/blob/master/Linux/up/extinctspinach.txt

Plugin Details

Severity: Critical

ID: 100387

File Name: cobalt_command_injection.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 5/24/2017

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/h:sun:cobalt_raq_4

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Vulnerability Publication Date: 4/8/2017