CVE-2020-12078 – CVE-2020-12078 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2020-12078?

CVE-2020-12078 has a CVSS score of 8.8 (HIGH). CVE-2020-12078 is a remote code execution vulnerability in Open-AudIT where shell metacharacter injection allows attackers to execute arbitrary commands on the server. This affects Open-AudIT Professional 3.3.1 installations where attackers can inject payloads via the exclude_ip parameter in global discovery settings. Organizations running vulnerable Open-AudIT instances are at risk of complete system compromise.

📋 TL;DR

CVE-2020-12078 is a remote code execution vulnerability in Open-AudIT where shell metacharacter injection allows attackers to execute arbitrary commands on the server. This affects Open-AudIT Professional 3.3.1 installations where attackers can inject payloads via the exclude_ip parameter in global discovery settings. Organizations running vulnerable Open-AudIT instances are at risk of complete system compromise.

💻 Affected Systems

Products:

Open-AudIT Professional

Versions: 3.3.1 and earlier versions

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration. The vulnerability exists in the web interface component.

📦 What is this software?

Open Audit by Opmantek

View all CVEs affecting Open Audit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/system-level access, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote command execution leading to web server compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege controls, potentially only affecting the web application container.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication in default configurations.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to authenticated or network-adjacent attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and detailed walkthroughs exist. The vulnerability requires no authentication in default configurations and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a and subsequent releases

Vendor Advisory: https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a

Restart Required: Yes

Instructions:

1. Update Open-AudIT to version 3.3.2 or later. 2. Apply the specific patch from commit 6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a. 3. Restart the web server and Open-AudIT services.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Open-AudIT web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Server Input Validation

all

Add input validation at web server level to reject malicious exclude_ip parameters

# Add to Apache .htaccess or virtual host config: RewriteCond %{QUERY_STRING} exclude_ip=.*[;&|`].* [NC] RewriteRule ^ - [F]

🧯 If You Can't Patch

Immediately disable the Open-AudIT web interface and restrict all network access to the service
Implement strict network segmentation and monitor all traffic to/from the Open-AudIT server for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Open-AudIT version via web interface admin panel or by examining the application files for version markers. Versions 3.3.1 and earlier are vulnerable.

Check Version:

grep -r 'version.*3\.3\.1' /path/to/open-audit/ or check web interface at /open-audit/

Verify Fix Applied:

Verify the patch is applied by checking that the discoveries_helper.php file properly sanitizes input to the exec() function and validates IP addresses.

📡 Detection & Monitoring

Log Indicators:

Unusual exec() calls in PHP error logs
Suspicious exclude_ip parameter values in web server logs
Commands with shell metacharacters in system logs

Network Indicators:

HTTP requests to /open-audit/configuration/ with shell metacharacters in parameters
Unexpected outbound connections from Open-AudIT server

SIEM Query:

source="apache_access" AND uri="/open-audit/configuration/" AND (query="*exclude_ip=*[;&|`]*" OR query="*exclude_ip=*$(*)")

📊 Metadata

CVE ID: CVE-2020-12078

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: April 28, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://gist.github.com/mhaskar/dca62d0f0facc13f6364b8ed88d5a7fd Exploit,Third Party Advisory
https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a Patch,Third Party Advisory
https://shells.systems/open-audit-v3-3-1-remote-command-execution-cve-2020-12078/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://gist.github.com/mhaskar/dca62d0f0facc13f6364b8ed88d5a7fd Exploit,Third Party Advisory
https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a Patch,Third Party Advisory
https://shells.systems/open-audit-v3-3-1-remote-command-execution-cve-2020-12078/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12078, you might also want to check these: