CVE-2020-10789 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2020-10789?

CVE-2020-10789 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to execute arbitrary operating system commands on openITCOCKPIT monitoring systems through the web-based terminal. Attackers can inject shell metacharacters into the su command line to bypass restrictions and run commands with elevated privileges. All openITCOCKPIT installations before version 3.7.3 are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary operating system commands on openITCOCKPIT monitoring systems through the web-based terminal. Attackers can inject shell metacharacters into the su command line to bypass restrictions and run commands with elevated privileges. All openITCOCKPIT installations before version 3.7.3 are affected.

💻 Affected Systems

Products:

openITCOCKPIT

Versions: All versions before 3.7.3

Operating Systems: Linux-based systems where openITCOCKPIT is installed

Default Config Vulnerable: ⚠️ Yes

Notes: The web-based terminal feature must be enabled and accessible, which is part of the standard installation.

📦 What is this software?

Openitcockpit by It Novum

View all CVEs affecting Openitcockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with root privileges, potentially leading to data theft, system destruction, or lateral movement across the network.

🟠

Likely Case

Unauthorized command execution leading to privilege escalation, data exfiltration, or installation of backdoors on the monitoring system.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and input validation are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Web-based terminal accessible from internet-facing interfaces allows remote attackers to exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, any user with access to the web interface could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the SudoMessageInterface.php file where shell metacharacters are not properly sanitized before being passed to the su command. Exploitation requires access to the web interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.3

Vendor Advisory: https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/

Restart Required: Yes

Instructions:

1. Backup your current openITCOCKPIT installation and database. 2. Download openITCOCKPIT version 3.7.3 or later from the official repository. 3. Follow the upgrade instructions provided in the documentation. 4. Restart the web server and openITCOCKPIT services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable web-based terminal

linux

Temporarily disable the vulnerable web-based terminal feature to prevent exploitation while planning for patching.

# Edit openITCOCKPIT configuration to disable terminal feature
# Modify app/Config/core.php or relevant configuration files
# Set terminal access to false or restrict to trusted IPs

Network access restrictions

linux

Restrict access to the openITCOCKPIT web interface using firewall rules or web server configuration.

# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate openITCOCKPIT systems from critical infrastructure
Deploy web application firewall (WAF) rules to block shell metacharacters and command injection attempts

🔍 How to Verify

Check if Vulnerable:

Check the openITCOCKPIT version by accessing the web interface and navigating to System -> About, or check the version file in the installation directory.

Check Version:

grep -r 'APP_VERSION' /path/to/openitcockpit/app/Config/constants.php || cat /path/to/openitcockpit/VERSION

Verify Fix Applied:

Verify the version is 3.7.3 or later and check that the commit 73b5b34afa8bd82ff26c0097558341214c768cfc is present in the codebase.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Multiple failed authentication attempts followed by terminal access
Suspicious su command executions with shell metacharacters

Network Indicators:

Unusual HTTP POST requests to terminal endpoints with shell metacharacters
Traffic patterns indicating command injection attempts

SIEM Query:

source="openitcockpit.log" AND ("su command" OR "terminal" OR "shell") AND (metacharacter OR "$" OR "|" OR ";" OR "&" OR "`")

📊 Metadata

CVE ID: CVE-2020-10789

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 25, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10789, you might also want to check these: