{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openremote-iot-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenRemote IoT Platform"],"_cs_severities":["critical"],"_cs_tags":["openremote","expression-injection","remote-code-execution","iot"],"_cs_type":"advisory","_cs_vendors":["OpenRemote"],"content_html":"\u003cp\u003eThe OpenRemote IoT platform contains critical expression injection vulnerabilities within its rules engine. The most significant of these vulnerabilities lies in the platform's use of the Nashorn JavaScript engine without proper sandboxing. This allows attackers with the \u003ccode\u003ewrite:rules\u003c/code\u003e role to inject malicious JavaScript code into rulesets, leading to arbitrary code execution on the server. The Groovy sandbox, intended as a security measure for Groovy rules, is rendered ineffective because the registration code is commented out. This lack of sandboxing, coupled with the ability of non-superusers to create JavaScript rulesets, creates a significant attack vector that can result in full server compromise. This vulnerability impacts all versions of the OpenRemote IoT platform prior to a patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious JavaScript payload designed to execute arbitrary code on the server, leveraging the \u003ccode\u003ejava.lang.Runtime\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the OpenRemote platform with a user account that has the \u003ccode\u003ewrite:rules\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to \u003ccode\u003e/api/{realm}/rules/realm\u003c/code\u003e with a JSON payload containing the malicious JavaScript code within the \u003ccode\u003erules\u003c/code\u003e field and setting \u003ccode\u003elang\u003c/code\u003e to \u003ccode\u003eJAVASCRIPT\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRulesResourceImpl.createRealmRuleset()\u003c/code\u003e method receives the request and, due to the lack of validation for JavaScript rules, bypasses the intended Groovy-only restriction.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is then passed to the \u003ccode\u003eRulesetStorageService.merge()\u003c/code\u003e method and persisted in the \u003ccode\u003eREALM_RULESET\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eA Hibernate event listener is triggered, publishing a persistence event to a Camel SEDA topic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRulesService\u003c/code\u003e consumes this event and deploys the ruleset, triggering the execution of the attacker-controlled JavaScript code via \u003ccode\u003escriptEngine.eval(script, engineScope)\u003c/code\u003e in \u003ccode\u003eRulesetDeployment.java\u003c/code\u003e L368.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, potentially leading to full server compromise, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the OpenRemote server. This can lead to full system compromise, including the ability to steal sensitive data, modify system configurations, or use the compromised server as a launchpad for further attacks. The lack of authentication requirements beyond the \u003ccode\u003ewrite:rules\u003c/code\u003e role significantly increases the risk of exploitation. Given the platform's use in IoT environments, the impact could extend to control over physical devices and infrastructure managed by the OpenRemote platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by OpenRemote immediately to address the expression injection vulnerabilities (reference: \u003ca href=\"https://github.com/advisories/GHSA-7mqr-33rv-p3mp\"\u003ehttps://github.com/advisories/GHSA-7mqr-33rv-p3mp\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/{realm}/rules/realm\u003c/code\u003e containing \u003ccode\u003elang: \u0026quot;JAVASCRIPT\u0026quot;\u003c/code\u003e in the request body, and investigate any suspicious activity (reference: webserver log monitoring).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the creation of JavaScript rulesets, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding for all user-supplied data to prevent expression injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-openremote-injection/","summary":"The OpenRemote IoT platform is vulnerable to expression injection, allowing remote code execution due to an unsandboxed Nashorn JavaScript engine and an inactive Groovy sandbox, leading to full server compromise.","title":"OpenRemote IoT Platform Expression Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openremote-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenRemote IoT Platform","version":"https://jsonfeed.org/version/1.1"}