<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Indico - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/indico/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/indico/feed.xml" rel="self" type="application/rss+xml"/><item><title>Indico LaTeX Injection Vulnerability (CVE-2026-33046)</title><link>https://feed.craftedsignal.io/briefs/2024-01-indico-latex-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-indico-latex-injection/</guid><description>A critical vulnerability in Indico versions prior to 3.3.12 allows specially-crafted LaTeX snippets to achieve local file read or arbitrary code execution due to insufficient sanitization of LaTeX input, impacting systems where server-side LaTeX rendering is enabled.</description><content:encoded><![CDATA[<p>Indico, an event management system, is vulnerable to a critical flaw (CVE-2026-33046) affecting versions prior to 3.3.12. This vulnerability stems from insufficient sanitization of LaTeX input, allowing attackers to inject specially-crafted LaTeX snippets. By exploiting vulnerabilities in TeXLive and leveraging obscure LaTeX syntax to bypass Indico's LaTeX sanitizer, a malicious actor can potentially read local files or execute arbitrary code on the server. The vulnerability is triggered if server-side LaTeX rendering is enabled, indicated by the presence of <code>XELATEX_PATH</code> in the <code>indico.conf</code> file. This poses a significant risk to organizations utilizing Indico for event management, potentially leading to data breaches or complete system compromise. Defenders must take immediate action to mitigate this risk by updating Indico or disabling LaTeX rendering.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an Indico instance running a version prior to 3.3.12 with server-side LaTeX rendering enabled (XELATEX_PATH configured).</li>
<li>The attacker crafts a malicious LaTeX snippet designed to either read local files or execute arbitrary code. This snippet exploits vulnerabilities in TeXLive and utilizes obscure LaTeX syntax to bypass Indico's built-in sanitization mechanisms.</li>
<li>The attacker injects the malicious LaTeX snippet into a field that is processed by the LaTeX rendering engine. This could be a presentation abstract, a comment, or any other user-controlled input field.</li>
<li>Indico's server-side LaTeX rendering engine processes the injected snippet using xelatex.</li>
<li>Due to the insufficient sanitization, the malicious LaTeX code executes. If designed for file access, the attacker can read sensitive files accessible to the Indico user. If designed for code execution, the attacker gains shell access under the Indico user's privileges.</li>
<li>If the attacker successfully gains code execution, they may establish persistence by creating cron jobs or modifying system files.</li>
<li>The attacker may attempt to escalate privileges within the system to gain root access.</li>
<li>The attacker can then exfiltrate sensitive data, deploy ransomware, or further compromise the Indico system and the network it resides on.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to read arbitrary local files or execute arbitrary code on the Indico server. This can lead to the disclosure of sensitive information, such as database credentials, user data, and internal documents. In the worst-case scenario, an attacker can gain complete control of the Indico server, potentially impacting hundreds or thousands of users and events managed by the platform. The affected sectors are broad, including academic institutions, research organizations, and conference organizers who rely on Indico for event management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade Indico to version 3.3.12 or later to patch CVE-2026-33046.</li>
<li>Enable the containerized LaTeX renderer using <code>podman</code>, as suggested in the advisory, to isolate the rendering process and mitigate the impact of successful exploitation.</li>
<li>If upgrading or enabling containerization is not immediately feasible, remove the <code>XELATEX_PATH</code> setting from <code>indico.conf</code> (or comment it out or set it to <code>None</code>) and restart the <code>indico-uwsgi</code> and <code>indico-celery</code> services to disable LaTeX functionality. This will prevent the exploitation of the vulnerability.</li>
<li>Deploy the Sigma rule &quot;Detect Indico LaTeX Code Execution via Process Creation&quot; to detect potential exploitation attempts by monitoring for suspicious processes spawned by the LaTeX renderer.</li>
<li>Monitor web server logs for requests containing suspicious LaTeX syntax in request parameters that are likely to be processed by the LaTeX rendering engine, using the Sigma rule &quot;Detect Indico LaTeX Injection Attempts via Web Logs&quot;.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-33046</category><category>indico</category><category>latex</category><category>code_execution</category><category>file_read</category></item></channel></rss>