CVE-2020-17384 – This vulnerability allows attackers with admini... (How to Fix)

Q: What is the severity of CVE-2020-17384?

CVE-2020-17384 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers with administrator cookies to inject malicious commands through improperly validated URLs in Cellopoint CelloOS. It enables remote code execution on affected systems. Organizations using Cellopoint CelloOS v4.1.10 Build 20190922 are at risk.

📋 TL;DR

This vulnerability allows attackers with administrator cookies to inject malicious commands through improperly validated URLs in Cellopoint CelloOS. It enables remote code execution on affected systems. Organizations using Cellopoint CelloOS v4.1.10 Build 20190922 are at risk.

💻 Affected Systems

Products:

Cellopoint CelloOS

Versions: v4.1.10 Build 20190922

Operating Systems: Unknown - likely Linux-based appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have administrator cookie, suggesting either stolen credentials or session hijacking.

📦 What is this software?

Cellos by Cellopoint

View all CVEs affecting Cellos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, or pivot to other network systems.

🟠

Likely Case

Attackers with stolen admin credentials can execute commands to exfiltrate data, modify system configurations, or disrupt operations.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated system compromise without lateral movement.

🌐 Internet-Facing: HIGH if system is internet-facing, as attackers can exploit remotely once they obtain admin cookies.

🏢 Internal Only: MEDIUM if system is internal-only, requiring attackers to first compromise internal network or have insider access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin cookie but command injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions after v4.1.10 Build 20190922

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html

Restart Required: Yes

Instructions:

1. Contact Cellopoint for updated version. 2. Backup configuration. 3. Apply patch/upgrade. 4. Restart system. 5. Verify fix.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement URL input validation to block command injection characters

# Requires custom web application firewall or input filtering rules

Cookie Security Hardening

all

Implement secure cookie attributes and rotation to prevent cookie theft

# Set HttpOnly, Secure, SameSite attributes for admin cookies

🧯 If You Can't Patch

Network segmentation to isolate CelloOS system from critical assets
Implement strict access controls and monitor for unusual admin cookie usage

🔍 How to Verify

Check if Vulnerable:

Check system version via admin interface or contact Cellopoint support

Check Version:

# Check via admin web interface or system information page

Verify Fix Applied:

Test URL input validation after patch and verify version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful admin login
URL parameters containing shell metacharacters

Network Indicators:

Unusual outbound connections from CelloOS system
Traffic to unexpected ports or IPs

SIEM Query:

source="celloos" AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*")

📊 Metadata

CVE ID: CVE-2020-17384

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 25, 2020

Last Updated: May 8, 2025

🔗 References

https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17384, you might also want to check these: