CVE-2020-10788 – openITCOCKPIT versions before 3.7.3 use a hardc... (How to Fix)

Q: What is the severity of CVE-2020-10788?

CVE-2020-10788 has a CVSS score of 9.1 (CRITICAL). openITCOCKPIT versions before 3.7.3 use a hardcoded API key (1fea123e07f730f76e661bced33a94152378611e) for WebSocket connections instead of generating random keys. This allows attackers to bypass authentication and gain unauthorized access to the monitoring system. All openITCOCKPIT installations before version 3.7.3 are affected.

📋 TL;DR

openITCOCKPIT versions before 3.7.3 use a hardcoded API key (1fea123e07f730f76e661bced33a94152378611e) for WebSocket connections instead of generating random keys. This allows attackers to bypass authentication and gain unauthorized access to the monitoring system. All openITCOCKPIT installations before version 3.7.3 are affected.

💻 Affected Systems

Products:

openITCOCKPIT

Versions: All versions before 3.7.3

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The hardcoded API key is used for WebSocket connections which are typically enabled by default.

📦 What is this software?

Openitcockpit by It Novum

View all CVEs affecting Openitcockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, access sensitive monitoring data, modify configurations, and pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to monitoring dashboards, viewing of sensitive system metrics and configurations, and potential privilege escalation within openITCOCKPIT.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still exposes monitoring data to unauthorized users.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable without authentication, allowing remote attackers full access.

🏢 Internal Only: HIGH - Even internally, any user with network access can exploit this to gain unauthorized monitoring system access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to use the hardcoded API key in WebSocket requests. The key is publicly documented in the CVE description and commit history.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.3

Vendor Advisory: https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/

Restart Required: Yes

Instructions:

1. Backup your current configuration and database. 2. Update to openITCOCKPIT version 3.7.3 or later. 3. Restart the openITCOCKPIT service. 4. Verify that WebSocket connections now use randomly generated API keys.

🔧 Temporary Workarounds

Disable WebSocket functionality

linux

Temporarily disable WebSocket connections until patching is possible

# Edit openITCOCKPIT configuration to disable WebSocket
# Location varies by installation, typically in /etc/openitcockpit/

Network access restrictions

linux

Restrict network access to openITCOCKPIT WebSocket ports (typically 8080, 8443)

sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
sudo iptables -A INPUT -p tcp --dport 8443 -j DROP

🧯 If You Can't Patch

Isolate openITCOCKPIT system on a separate VLAN with strict access controls
Implement network monitoring for WebSocket connections using the hardcoded API key

🔍 How to Verify

Check if Vulnerable:

Check if WebSocket connections accept the hardcoded API key 1fea123e07f730f76e661bced33a94152378611e

Check Version:

openitcockpit --version

Verify Fix Applied:

Verify that WebSocket connections now require a randomly generated API key and reject the hardcoded key

📡 Detection & Monitoring

Log Indicators:

WebSocket authentication failures using the hardcoded key
Unauthorized WebSocket connection attempts

Network Indicators:

WebSocket traffic containing the hardcoded API key in requests
Unusual WebSocket connection patterns

SIEM Query:

websocket AND ("1fea123e07f730f76e661bced33a94152378611e" OR "api_key=1fea123e07f730f76e661bced33a94152378611e")

📊 Metadata

CVE ID: CVE-2020-10788

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-798

Published: March 25, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/it-novum/openITCOCKPIT/commit/581cc9007bbfba84a2575729d5d903ab3a8f25ee Patch,Third Party Advisory
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/ Release Notes,Third Party Advisory
https://github.com/it-novum/openITCOCKPIT/commit/581cc9007bbfba84a2575729d5d903ab3a8f25ee Patch,Third Party Advisory
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/ Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10788, you might also want to check these: