OpenRemote IoT Platform Expression Injection Vulnerability
The OpenRemote IoT platform is vulnerable to expression injection, allowing remote code execution due to an unsandboxed Nashorn JavaScript engine and an inactive Groovy sandbox, leading to full server compromise.
The OpenRemote IoT platform contains critical expression injection vulnerabilities within its rules engine. The most significant of these vulnerabilities lies in the platform's use of the Nashorn JavaScript engine without proper sandboxing. This allows attackers with the write:rules role to inject malicious JavaScript code into rulesets, leading to arbitrary code execution on the server. The Groovy sandbox, intended as a security measure for Groovy rules, is rendered ineffective because the registration code is commented out. This lack of sandboxing, coupled with the ability of non-superusers to create JavaScript rulesets, creates a significant attack vector that can result in full server compromise. This vulnerability impacts all versions of the OpenRemote IoT platform prior to a patch.
Attack Chain
- An attacker crafts a malicious JavaScript payload designed to execute arbitrary code on the server, leveraging the
java.lang.Runtimeclass. - The attacker authenticates to the OpenRemote platform with a user account that has the
write:rulesrole. - The attacker sends an HTTP POST request to
/api/{realm}/rules/realmwith a JSON payload containing the malicious JavaScript code within therulesfield and settinglangtoJAVASCRIPT. - The
RulesResourceImpl.createRealmRuleset()method receives the request and, due to the lack of validation for JavaScript rules, bypasses the intended Groovy-only restriction. - The malicious JavaScript code is then passed to the
RulesetStorageService.merge()method and persisted in theREALM_RULESETtable. - A Hibernate event listener is triggered, publishing a persistence event to a Camel SEDA topic.
- The
RulesServiceconsumes this event and deploys the ruleset, triggering the execution of the attacker-controlled JavaScript code viascriptEngine.eval(script, engineScope)inRulesetDeployment.javaL368. - The attacker achieves arbitrary code execution on the server, potentially leading to full server compromise, data exfiltration, or other malicious activities.
Impact
Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the OpenRemote server. This can lead to full system compromise, including the ability to steal sensitive data, modify system configurations, or use the compromised server as a launchpad for further attacks. The lack of authentication requirements beyond the write:rules role significantly increases the risk of exploitation. Given the platform's use in IoT environments, the impact could extend to control over physical devices and infrastructure managed by the OpenRemote platform.
Recommendation
- Apply the patch provided by OpenRemote immediately to address the expression injection vulnerabilities (reference: https://github.com/advisories/GHSA-7mqr-33rv-p3mp).
- Monitor web server logs for POST requests to
/api/{realm}/rules/realmcontaininglang: "JAVASCRIPT"in the request body, and investigate any suspicious activity (reference: webserver log monitoring). - Deploy the Sigma rule provided to detect the creation of JavaScript rulesets, and tune for your environment.
- Implement strict input validation and output encoding for all user-supplied data to prevent expression injection attacks.
Detection coverage 2
Detect OpenRemote JavaScript Ruleset Creation
highDetects the creation of JavaScript rulesets in OpenRemote, which can be indicative of expression injection attacks.
Detect OpenRemote Groovy Ruleset Creation (Superuser Only)
mediumDetects the creation of Groovy rulesets in OpenRemote, which should only be allowed by superusers.
Detection queries are available on the platform. Get full rules →