CVE-2019-5029
📋 TL;DR
CVE-2019-5029 is a critical command injection vulnerability in Exhibitor's web UI Config editor that allows remote attackers to execute arbitrary shell commands on the server. This affects Exhibitor versions 1.0.9 through 1.7.1 when the web UI is accessible. Attackers can gain complete control of the Exhibitor host by injecting commands surrounded by backticks or $() into configuration fields.
💻 Affected Systems
- Exhibitor
📦 What is this software?
Exhibitor by Exhibitor Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands as the Exhibitor process user, potentially leading to data theft, lateral movement, or complete host takeover.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or deployment of malware/backdoors on vulnerable systems.
If Mitigated
Limited impact if network segmentation and access controls prevent unauthorized access to the Exhibitor web UI.
🎯 Exploit Status
Exploitation requires access to the Exhibitor web UI Config editor. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2
Vendor Advisory: https://github.com/soabase/exhibitor/releases/tag/exhibitor-1.7.2
Restart Required: Yes
Instructions:
1. Upgrade Exhibitor to version 1.7.2 or later. 2. Restart the Exhibitor service. 3. Verify the web UI no longer accepts command injection in Config editor.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Exhibitor web UI to trusted IPs only
iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disable Config Editor
allDisable the Config editor functionality if not required
Set exhibitor.config-edit-enabled=false in exhibitor.properties
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Exhibitor web UI
- Monitor Exhibitor logs for suspicious configuration changes or command injection attempts
🔍 How to Verify
Check if Vulnerable:
Check Exhibitor version: grep 'exhibitor.version' exhibitor.properties or check web UI footer. If version is between 1.0.9 and 1.7.1 inclusive, system is vulnerable.Check Version:
grep exhibitor.version exhibitor.properties || check Exhibitor web UI footerVerify Fix Applied:
After patching, attempt to inject test command like `$(echo test)` in Config editor - it should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual configuration changes in Exhibitor logs
- Shell command execution patterns in system logs
- Failed login attempts to Exhibitor web UI
Network Indicators:
- Unusual outbound connections from Exhibitor host
- HTTP requests to Config editor endpoints from unexpected sources
SIEM Query:
source="exhibitor.logs" AND ("config edit" OR "command injection" OR backtick OR "$(")