CVE-2023-36663
📋 TL;DR
CVE-2023-36663 is an SQL injection vulnerability in openITCOCKPIT's API interface that allows authenticated users to execute arbitrary SQL commands via the sort parameter. This affects openITCOCKPIT versions 4.6.4 and earlier, potentially compromising the underlying database and system integrity.
💻 Affected Systems
- it-novum openITCOCKPIT (open IT COCKPIT)
📦 What is this software?
Openitcockpit by It Novum
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized data access, extraction of sensitive information, and potential lateral movement within the database environment.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
SQL injection via sort parameter is a well-understood attack vector. While no public PoC exists, exploitation is straightforward for attackers with authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.5
Vendor Advisory: https://openitcockpit.io/2023/2023/06/13/openitcockpit-4-6-5-released-security-update/
Restart Required: Yes
Instructions:
1. Backup your openITCOCKPIT installation and database. 2. Download openITCOCKPIT 4.6.5 from the official repository. 3. Follow the upgrade instructions at https://docs.openitcockpit.io/. 4. Restart the openITCOCKPIT service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the sort parameter to only allow expected values
Modify API endpoint code to validate sort parameter against whitelist of allowed values
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns in API requests
Add WAF rule: Detect and block SQL keywords in sort parameter (e.g., UNION, SELECT, INSERT, DELETE, DROP)
🧯 If You Can't Patch
- Restrict API access to trusted IP addresses only using firewall rules
- Implement additional authentication/authorization layers and monitor for suspicious API activity
🔍 How to Verify
Check if Vulnerable:
Check if running openITCOCKPIT version 4.6.4 or earlier via web interface or configuration filesCheck Version:
Check web interface dashboard or examine /opt/openitc/frontend/config/version.php fileVerify Fix Applied:
Verify version is 4.6.5 or later and test API endpoints with malicious sort parameters to confirm they're rejected📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- API requests with suspicious sort parameters containing SQL keywords
- Multiple failed login attempts followed by API access
Network Indicators:
- Unusual API traffic patterns
- Requests to API endpoints with SQL injection payloads in parameters
SIEM Query:
source="openitcockpit" AND (url="*api*" AND param="*sort*" AND (value="*UNION*" OR value="*SELECT*" OR value="*INSERT*" OR value="*DELETE*" OR value="*DROP*"))