CVE-2024-46977
📋 TL;DR
OpenC3 COSMOS contains a path traversal vulnerability in LocalMode's open_local_file method that allows authenticated users with adequate permissions to download arbitrary .txt files via the ScreensController#show endpoint. This affects all OpenC3 COSMOS deployments running vulnerable versions. The vulnerability could lead to unauthorized file access and potential information disclosure.
💻 Affected Systems
- OpenC3 COSMOS
📦 What is this software?
Cosmos by Openc3
Cosmos by Openc3
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive system files, configuration files, or credential files stored as .txt, potentially leading to complete system compromise or data exfiltration.
Likely Case
Authenticated users could access unauthorized .txt files within the COSMOS directory structure, potentially exposing configuration data, logs, or other sensitive information.
If Mitigated
With proper file permissions and network segmentation, impact would be limited to accessible .txt files within the COSMOS application scope.
🎯 Exploit Status
Exploitation requires authenticated access with appropriate permissions; path traversal is a well-understood attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.19.0
Vendor Advisory: https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8
Restart Required: Yes
Instructions:
1. Backup current COSMOS configuration and data. 2. Upgrade to OpenC3 COSMOS version 5.19.0 or later. 3. Restart the COSMOS service. 4. Verify the fix by testing the previously vulnerable endpoint.
🔧 Temporary Workarounds
Restrict file permissions
linuxSet strict file permissions on sensitive .txt files to limit access even if vulnerability is exploited.
chmod 600 sensitive_file.txt
chown root:root sensitive_file.txt
Network segmentation
linuxRestrict network access to COSMOS web interface to trusted users only.
iptables -A INPUT -p tcp --dport <cosmos_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <cosmos_port> -j DROP
🧯 If You Can't Patch
- Implement strict access controls to limit which users have permissions to access the vulnerable endpoint.
- Monitor and audit file access attempts through the COSMOS web interface for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if current COSMOS version is below 5.19.0; test authenticated access to ScreensController#show endpoint with path traversal payloads.Check Version:
Check COSMOS version in web interface or run appropriate version check command for your installation method.Verify Fix Applied:
After upgrading to 5.19.0+, attempt to exploit the path traversal vulnerability; successful fix should return proper error messages instead of file contents.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via ScreensController#show endpoint
- Multiple failed path traversal attempts
- Access to .txt files outside expected directories
Network Indicators:
- HTTP requests containing path traversal sequences (../) to COSMOS web endpoints
- Unusual file download patterns from COSMOS interface
SIEM Query:
source="cosmos_logs" AND (uri="*../*" OR uri="*..%2f*") AND endpoint="ScreensController#show"