CyRC Vulnerability Advisory: CVE-2023-25826 and CVE-2023-25827 in OpenTSDB

Overview

The Synopsys Cybersecurity Research Center (CyRC) has discovered a remote command execution vulnerability (CVE-2023-25826), and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827) in OpenTSDB. OpenTSDB is a distributed time series database (TSDB) working over Apache HBase that is designed for managing, querying, and displaying time-based metrics at a large scale.

CVE-2023-25826: Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

CVE-2023-25827: Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

Exploitation

CVE-2023-25826: When supplying requests to the legacy HTTP query API (the ‘/q’ endpoint), crafted system commands can be injected into the ‘key’, ‘style’, and ‘smooth’ parameters that will bypass validation measures. When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed.

CVE-2023-25827: Malicious URLs can be crafted and supplied to a victim, and they cause request errors for the legacy HTTP query API (the ‘/q’ endpoint) and the logging ‘/logs’ endpoint. Arbitrary JavaScript can be injected into the ‘start’, ‘end’, ‘m’, and ‘key’ parameters of ‘/q’, and the ‘level’ parameter of ‘/logs’. If a victim accesses a crafted URL, included JavaScript will be reflected in the resulting error message and executed within their browser.

Affected software

• OpenTSDB releases 1.0.0 up to and including 2.4.1

Impact

Exploitation of CVE-2023-25826 can lead to the injection of arbitrary OS commands that will be executed by the host system within the privileges of the OpenTSDB application.

Exploitation of CVE-2023-25827 can lead to the execution of arbitrary JavaScript within the browser of a targeted user, allowing an attacker to steal sensitive information retained by their browser, such as configured authentication tokens or session cookies.

CVE-2023-25826

• CVSS base score: 9.8 (Critical)
• CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2023-25827

• CVSS base score: 8.2 (High)
• CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C

Remediation

Fixed in the following commits:

• https://github.com/OpenTSDB/opentsdb/pull/2274
• https://github.com/OpenTSDB/opentsdb/pull/2275

Discovery credit

These vulnerabilities were discovered by CyRC researcher Jamie Harris.

Timeline

January 27, 2023: Initial disclosure and confirmation

February 21, 2023: First follow-up

March 8, 2023: Second follow-up

March 29, 2023: Final follow-up

April 11, 2023: OpenTSDB provides fixes

April 12, 2023: Synopsys confirms fixes

May 03, 2023: CVEs published

References

http://opentsdb.net/

https://github.com/OpenTSDB/opentsdb

https://github.com/OpenTSDB/opentsdb/pull/2274

https://github.com/OpenTSDB/opentsdb/pull/2275