OpenTSDB yrange RCE (direct check)

critical Nessus Plugin ID 151489

Synopsis

The remote web server contains a time series database application that is affected by a remote code execution vulnerability.

Description

The OpenTSDB application hosted on the remote web server is affected by a remote code execution vulnerability due to a failure to properly sanitize user-supplied input in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. This allows a remote, unauthenticated attacker to craft a request and execute arbitrary system commands on the remote host.

Note that thorough tests may be required to test some vulnerable installations, like Docker.

Solution

Restrict access to the vulnerable application. Contact the vendor to see if an update is available.

See Also

https://github.com/OpenTSDB/opentsdb/issues/2051

Plugin Details

Severity: Critical

ID: 151489

File Name: opentsdb_yrange_rce.nbin

Version: 1.59

Type: remote

Family: CGI abuses

Published: 7/9/2021

Updated: 11/22/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-35476

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:opentsdb:opentsdb

Required KB Items: installed_sw/OpenTSDB

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 11/18/2020

Exploitable With

Metasploit (OpenTSDB 2.4.0 unauthenticated command injection)

Reference Information

CVE: CVE-2020-35476