CVE-2020-24032 – CVE-2020-24032 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-24032?

CVE-2020-24032 has a CVSS score of 9.8 (CRITICAL). CVE-2020-24032 is a command injection vulnerability in tz.pl on XoruX LPAR2RRD and STOR2RRD virtual appliances that allows attackers to execute arbitrary commands via shell metacharacters in the timezone parameter. This affects organizations using these monitoring appliances for IBM Power systems and storage systems. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

CVE-2020-24032 is a command injection vulnerability in tz.pl on XoruX LPAR2RRD and STOR2RRD virtual appliances that allows attackers to execute arbitrary commands via shell metacharacters in the timezone parameter. This affects organizations using these monitoring appliances for IBM Power systems and storage systems. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

XoruX LPAR2RRD
XoruX STOR2RRD

Versions: 2.70 virtual appliances

Operating Systems: Linux-based virtual appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the tz.pl script in the web interface of the virtual appliances.

📦 What is this software?

Lpar2rrd by Xorux

View all CVEs affecting Lpar2rrd →

Stor2rrd by Xorux

View all CVEs affecting Stor2rrd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands as the web server user, potentially leading to data theft, system destruction, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to installation of backdoors, cryptocurrency miners, or data exfiltration from the monitoring system.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and has public exploit details available.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows command injection that could lead to lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on Pastebin showing simple command injection via the tz parameter. The vulnerability requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.70

Vendor Advisory: https://www.stor2rrd.com/download.php

Restart Required: Yes

Instructions:

1. Download the latest version from the vendor website. 2. Backup current configuration. 3. Install the updated version. 4. Restart the appliance services.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the appliance web interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Input Validation Patch

linux

Add input validation to sanitize the tz parameter in tz.pl script.

sed -i "s/\$ENV{'tz'}/\$tz =~ \/^[A-Za-z0-9\/\-_]+\$/ ? \$ENV{'tz'} : 'UTC'/g" /path/to/tz.pl

🧯 If You Can't Patch

Implement strict network segmentation to isolate the appliance from untrusted networks.
Deploy a web application firewall (WAF) with command injection rules in front of the appliance.

🔍 How to Verify

Check if Vulnerable:

Check if the appliance version is 2.70 by accessing the web interface and reviewing version information, or check the installed package version.

Check Version:

grep -i version /opt/stor2rrd/version.txt || grep -i version /opt/lpar2rrd/version.txt

Verify Fix Applied:

Verify the appliance version is updated beyond 2.70 and test the tz parameter with shell metacharacters to ensure command injection is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unusual commands in web server logs containing shell metacharacters in tz parameter
Suspicious process execution from the web server user account

Network Indicators:

HTTP requests to tz.pl with shell metacharacters in parameters
Outbound connections from the appliance to unexpected destinations

SIEM Query:

source="web_logs" AND uri="*tz.pl*" AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*")

📊 Metadata

CVE ID: CVE-2020-24032

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 18, 2020

Last Updated: November 21, 2024

🔗 References

https://pastebin.com/G8981Fj8 Third Party Advisory
https://pastebin.com/dHhawgx8 Broken Link
https://www.stor2rrd.com/download.php Vendor Advisory
https://pastebin.com/G8981Fj8 Third Party Advisory
https://pastebin.com/dHhawgx8 Broken Link
https://www.stor2rrd.com/download.php Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24032, you might also want to check these: