CVE-2020-13124
📋 TL;DR
This CVE describes a command injection vulnerability in SABnzbd's web configuration interface that allows authenticated users to execute arbitrary Python commands on the underlying operating system. The vulnerability affects SABnzbd versions 2.3.9 and 3.0.0Alpha2, potentially leading to remote code execution. Attackers with valid credentials can exploit this to gain control of affected systems.
💻 Affected Systems
- SABnzbd
📦 What is this software?
Sabnzbd by Sabnzbd
Sabnzbd by Sabnzbd
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root/administrator privileges, installing persistent backdoors, exfiltrating sensitive data, and pivoting to other systems in the network.
Likely Case
Authenticated attacker executes arbitrary commands to steal credentials, install cryptocurrency miners, or create backdoors for persistent access.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and minimal user privileges on affected systems.
🎯 Exploit Status
Exploitation requires valid credentials but is straightforward once authenticated. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.3.9 and 3.0.0Alpha2
Vendor Advisory: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2
Restart Required: Yes
Instructions:
1. Download latest version from https://sabnzbd.org/downloads
2. Stop SABnzbd service
3. Install updated version
4. Restart SABnzbd service
🔧 Temporary Workarounds
Disable Web Interface
allTemporarily disable the web configuration interface to prevent exploitation
Edit sabnzbd.ini and set 'enable_https = 0' and 'enable_http = 0'
Restart SABnzbd service
Network Restriction
allRestrict web interface access to trusted IP addresses only
Configure firewall to allow only specific IPs to access SABnzbd port (default 8080)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SABnzbd instances
- Enforce strong authentication policies and regularly rotate credentials
🔍 How to Verify
Check if Vulnerable:
Check SABnzbd version via web interface or configuration file. Vulnerable if version is exactly 2.3.9 or 3.0.0Alpha2.Check Version:
Check web interface status page or sabnzbd.ini configuration file for version informationVerify Fix Applied:
Verify version is updated to a version after 2.3.9 or 3.0.0Alpha2. Check vendor advisory for specific fixed versions.📡 Detection & Monitoring
Log Indicators:
- Unusual Python command execution in system logs
- Unexpected process creation from SABnzbd user
- Authentication attempts followed by command execution patterns
Network Indicators:
- Unusual outbound connections from SABnzbd host
- Command and control traffic patterns
SIEM Query:
source="sabnzbd.log" AND ("python -c" OR "os.system" OR "subprocess")🔗 References
- https://github.com/sabnzbd/sabnzbd/commits/develop
- https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2
- https://sabnzbd.org/downloads
- https://github.com/sabnzbd/sabnzbd/commits/develop
- https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2
- https://sabnzbd.org/downloads
