CVE-2020-6143 – This is a critical remote code execution vulner... (How to Fix)

Q: What is the severity of CVE-2020-6143?

CVE-2020-6143 has a CVSS score of 9.8 (CRITICAL). This is a critical remote code execution vulnerability in OS4Ed openSIS 7.4's installation functionality. Attackers can inject malicious PHP code through the password parameter during installation, allowing them to execute arbitrary commands on the server. Any organization using openSIS 7.4 with the default installation is affected.

📋 TL;DR

This is a critical remote code execution vulnerability in OS4Ed openSIS 7.4's installation functionality. Attackers can inject malicious PHP code through the password parameter during installation, allowing them to execute arbitrary commands on the server. Any organization using openSIS 7.4 with the default installation is affected.

💻 Affected Systems

Products:

OS4Ed openSIS

Versions: Version 7.4

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable during or after installation if the install directory remains accessible. The vulnerability is in the Step5.php file during the installation process.

📦 What is this software?

Opensis by Os4ed

View all CVEs affecting Opensis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install backdoors, steal sensitive student data, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Webshell deployment leading to data exfiltration, credential theft, and potential ransomware deployment on the affected server.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting the openSIS application server.

🌐 Internet-Facing: HIGH - The vulnerability is in the installation component which is typically internet-accessible during setup, and exploitation requires no authentication.

🏢 Internal Only: MEDIUM - If the installation interface remains accessible internally after setup, attackers with internal access could exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers send a crafted HTTP request to the install/Step5.php endpoint with malicious PHP code in the password parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: openSIS 7.5 and later

Vendor Advisory: https://www.os4ed.com/

Restart Required: No

Instructions:

1. Upgrade to openSIS 7.5 or later. 2. Remove or restrict access to the install directory after installation. 3. Review Data.php file for any malicious code.

🔧 Temporary Workarounds

Remove Install Directory

linux

Delete or restrict access to the install directory after installation completes

rm -rf /path/to/opensis/install/
chmod 000 /path/to/opensis/install/

Web Server Access Restriction

all

Configure web server to block access to install directory

# Apache: Add to .htaccess
Deny from all
# Nginx: Add to config
location /install/ { deny all; }

🧯 If You Can't Patch

Immediately remove or restrict access to the install directory using web server configuration
Implement strict network segmentation and WAF rules to block requests to install endpoints

🔍 How to Verify

Check if Vulnerable:

Check if install/Step5.php is accessible via HTTP and if openSIS version is 7.4. Review Data.php file for suspicious PHP code.

Check Version:

Check version in application interface or review release notes in installation directory

Verify Fix Applied:

Confirm install directory is inaccessible via HTTP and version is upgraded to 7.5+. Verify Data.php contains no malicious code.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to install/Step5.php with unusual parameters
File modifications to Data.php
Unusual PHP process execution

Network Indicators:

HTTP POST requests to install endpoints with PHP code in parameters
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND (uri="/install/Step5.php" OR uri="/Data.php") AND (method="POST" OR status=200)

📊 Metadata

CVE ID: CVE-2020-6143

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-96

Published: September 1, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1083 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1083 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6143, you might also want to check these: