CVE-2023-40361 – CVE-2023-40361 is an insecure permissions vulne... (How to Fix)

Q: What is the severity of CVE-2023-40361?

CVE-2023-40361 has a CVSS score of 7.8 (HIGH). CVE-2023-40361 is an insecure permissions vulnerability in SECUDOS Qiata (DOMOS OS) where the previewRm.sh cronjob has world-writable permissions. This allows any authenticated user on the system to write malicious code that will be executed with root privileges. Organizations running affected DOMOS OS versions are vulnerable to privilege escalation attacks.

📋 TL;DR

CVE-2023-40361 is an insecure permissions vulnerability in SECUDOS Qiata (DOMOS OS) where the previewRm.sh cronjob has world-writable permissions. This allows any authenticated user on the system to write malicious code that will be executed with root privileges. Organizations running affected DOMOS OS versions are vulnerable to privilege escalation attacks.

💻 Affected Systems

Products:

SECUDOS Qiata (DOMOS OS)

Versions: 4.13

Operating Systems: Linux-based DOMOS OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration. Requires attacker to have any user account on the system.

📦 What is this software?

Qiata by Secudos

View all CVEs affecting Qiata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or disrupt operations.

🟠

Likely Case

Privilege escalation from low-privileged user to root, enabling lateral movement and further system exploitation.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized user accounts from accessing the system.

🌐 Internet-Facing: MEDIUM - While exploitation requires authenticated access, internet-facing systems with user accounts are vulnerable.

🏢 Internal Only: HIGH - Internal users with any level of access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward - attacker simply writes malicious script to the world-writable file. Requires authenticated access as any user.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Apply workarounds below and monitor vendor for updates.

🔧 Temporary Workarounds

Fix File Permissions

linux

Remove world-writable permissions from previewRm.sh script

chmod 750 /path/to/previewRm.sh
chown root:root /path/to/previewRm.sh

Disable Cronjob

linux

Temporarily disable the vulnerable cronjob

mv /etc/cron.daily/previewRm.sh /etc/cron.daily/previewRm.sh.disabled

🧯 If You Can't Patch

Restrict user access to DOMOS systems to only necessary personnel
Implement strict monitoring for file permission changes and cronjob execution

🔍 How to Verify

Check if Vulnerable:

Check permissions: ls -la /etc/cron.daily/previewRm.sh | grep -E '^-rwxrwxrwx|^-rw-rw-rw-'

Check Version:

cat /etc/os-release | grep VERSION

Verify Fix Applied:

Verify permissions: ls -la /etc/cron.daily/previewRm.sh | grep -E '^-rwxr-x---|^-rw-r-----'

📡 Detection & Monitoring

Log Indicators:

Cron job execution logs with unusual commands
File permission changes to previewRm.sh

Network Indicators:

Unusual outbound connections from DOMOS systems following cron execution

SIEM Query:

source="cron" AND (previewRm.sh OR suspicious_command)

📊 Metadata

CVE ID: CVE-2023-40361

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: October 20, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/vianic/CVE-2023-40361/blob/main/advisory/advisory.md Exploit,Third Party Advisory
https://github.com/vianic/CVE-2023-40361/blob/main/advisory/advisory.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40361, you might also want to check these: