Login Sign Up

CVE-2020-26943

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users of the OpenStack Horizon dashboard with the blazar-dashboard plugin to execute arbitrary Python code on the Horizon host. The exploit occurs because the application uses the unsafe Python eval() function on user input. All OpenStack deployments using Horizon with the vulnerable blazar-dashboard plugin versions are affected.

💻 Affected Systems

Products:
  • OpenStack Horizon with blazar-dashboard plugin
Versions: blazar-dashboard versions before 1.3.1, 2.0.0, and 3.0.0
Operating Systems: Any OS running OpenStack Horizon
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects setups where the blazar-dashboard plugin is installed and enabled in Horizon. The vulnerability requires authenticated access to the Horizon dashboard.

📦 What is this software?

Blazar Dashboard by Openstack

View all CVEs affecting Blazar Dashboard →

Blazar Dashboard by Openstack

View all CVEs affecting Blazar Dashboard →

Blazar Dashboard by Openstack

View all CVEs affecting Blazar Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Horizon service host, allowing attackers to execute arbitrary code as the Horizon service user, potentially leading to lateral movement within the OpenStack environment and data exfiltration.

🟠

Likely Case

Unauthorized access to the Horizon host, enabling attackers to read sensitive configuration files, modify service behavior, or use the host as a pivot point for further attacks within the cloud infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though the Horizon service would still be compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation is straightforward once an attacker has valid Horizon dashboard credentials. The vulnerability is in the Python eval() function usage, making code execution trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: blazar-dashboard 1.3.1, 2.0.0, or 3.0.0

Vendor Advisory: https://launchpad.net/bugs/1895688

Restart Required: Yes

Instructions:

1. Update blazar-dashboard to version 1.3.1, 2.0.0, or 3.0.0 using your package manager. 2. Restart the Horizon service. 3. Verify the fix by checking the installed version.

🔧 Temporary Workarounds

Disable blazar-dashboard plugin

linux

Temporarily disable the vulnerable plugin until patching can be completed

Remove or comment out blazar-dashboard from HORIZON_CONFIG['dashboards'] in local_settings.py
Restart Horizon service: systemctl restart apache2

🧯 If You Can't Patch

  • Restrict Horizon dashboard access to only trusted users with strong authentication
  • Implement network segmentation to isolate Horizon service from critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check installed blazar-dashboard version: pip show blazar-dashboard | grep Version

Check Version:

pip show blazar-dashboard | grep Version

Verify Fix Applied:

Verify version is 1.3.1, 2.0.0, or 3.0.0: pip show blazar-dashboard | grep Version

📡 Detection & Monitoring

Log Indicators:

  • Unusual Python eval() errors in Horizon logs
  • Suspicious user activity in blazar dashboard logs
  • Unexpected process execution from Horizon service user

Network Indicators:

  • Unusual outbound connections from Horizon host
  • Suspicious payloads in Horizon API requests

SIEM Query:

source="horizon.log" AND "eval" AND "error" OR source="apache.log" AND "/blazar/" AND status=200

📊 Metadata

CVE ID: CVE-2020-26943
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: October 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON