CVE-2023-50094
📋 TL;DR
CVE-2023-50094 is an OS command injection vulnerability in reNgine web application security scanner versions before 2.1.2. An authenticated attacker can execute arbitrary commands with root privileges by injecting shell metacharacters into the WAF detector URL parameter. This affects all reNgine deployments with exposed API endpoints.
💻 Affected Systems
- reNgine
📦 What is this software?
Rengine by Yogeshojha
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level command execution, allowing complete control over the host system, data exfiltration, lateral movement, and persistence establishment.
Likely Case
Unauthorized command execution leading to data theft, system reconnaissance, or deployment of additional malware/backdoors on the vulnerable host.
If Mitigated
Limited impact due to network segmentation, restricted API access, or proper input validation preventing command injection.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once an attacker obtains valid session credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2 and later
Vendor Advisory: https://github.com/yogeshojha/rengine/releases
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Update to reNgine 2.1.2 or later via git pull or fresh installation. 3. Restart all reNgine services. 4. Verify the fix by checking version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement strict input validation for the url parameter in WAF detector API endpoint
Modify web/api/views.py to sanitize url parameter before passing to subprocess.check_output()
API Endpoint Restriction
linuxRestrict access to the vulnerable API endpoint using web application firewall or access controls
iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate reNgine instances from critical systems
- Deploy web application firewall with command injection detection rules and restrict API endpoint access
🔍 How to Verify
Check if Vulnerable:
Check if reNgine version is below 2.1.2 and examine web/api/views.py for vulnerable subprocess.check_output() calls without proper input sanitizationCheck Version:
cd /path/to/rengine && git describe --tags || check version in web interfaceVerify Fix Applied:
Verify version is 2.1.2 or higher and test the /api/tools/waf_detector/ endpoint with shell metacharacters to confirm they're properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual subprocess executions from reNgine
- Shell metacharacters in API request logs to /api/tools/waf_detector/
- Multiple failed authentication attempts followed by successful API access
Network Indicators:
- Unusual outbound connections from reNgine host
- Command and control traffic patterns
- Data exfiltration from reNgine system
SIEM Query:
source="rengine_logs" AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*" OR url="*&*" OR url="*>*" OR url="*<*")🔗 References
- https://github.com/yogeshojha/rengine/blob/53d9f505f04861a5040195ea71f20907ff90577a/web/api/views.py#L268-L275
- https://github.com/yogeshojha/rengine/blob/5e120bd5f9dfbd1da82a193e8c9702e483d38d22/web/api/views.py#L195
- https://github.com/yogeshojha/rengine/commit/3d5f1724dd12cf9861443742e7d7c02ff8c75a6f
- https://github.com/yogeshojha/rengine/commit/edd3c85ee16f93804ad38dac5602549d2d30a93e
- https://github.com/yogeshojha/rengine/releases
- https://github.com/yogeshojha/rengine/security
- https://github.com/yogeshojha/rengine/security/advisories/GHSA-fx7f-f735-vgh4
- https://www.mattz.io/posts/cve-2023-50094/
- https://github.com/yogeshojha/rengine/blob/5e120bd5f9dfbd1da82a193e8c9702e483d38d22/web/api/views.py#L195
- https://github.com/yogeshojha/rengine/releases
- https://github.com/yogeshojha/rengine/security
- https://www.mattz.io/posts/cve-2023-50094/
