OpenTSDB yrange RCE (direct check)

critical Nessus Plugin ID 151489

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server contains a time series database application that is affected by a remote code execution vulnerability.

Description

The OpenTSDB application hosted on the remote web server is affected by a remote code execution vulnerability due to a failure to properly sanitize user-supplied input in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. This allows a remote, unauthenticated attacker to craft a request and execute arbitrary system commands on the remote host.

Note that thorough tests may be required to test some vulnerable installations, like Docker.

Solution

Restrict access to the vulnerable application. Contact the vendor to see if an update is available.

See Also

https://github.com/OpenTSDB/opentsdb/issues/2051

Plugin Details

Severity: Critical

ID: 151489

File Name: opentsdb_yrange_rce.nbin

Version: 1.4

Type: remote

Family: CGI abuses

Published: 7/9/2021

Updated: 10/19/2021

Dependencies: opentsdb_http_detect.nbin

Risk Information

CVSS Score Source: CVE-2020-35476

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:opentsdb:opentsdb

Required KB Items: installed_sw/OpenTSDB

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 11/18/2020

Reference Information

CVE: CVE-2020-35476