<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenRemote IoT Platform - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openremote-iot-platform/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openremote-iot-platform/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenRemote IoT Platform Expression Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-openremote-injection/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-openremote-injection/</guid><description>The OpenRemote IoT platform is vulnerable to expression injection, allowing remote code execution due to an unsandboxed Nashorn JavaScript engine and an inactive Groovy sandbox, leading to full server compromise.</description><content:encoded><![CDATA[<p>The OpenRemote IoT platform contains critical expression injection vulnerabilities within its rules engine. The most significant of these vulnerabilities lies in the platform's use of the Nashorn JavaScript engine without proper sandboxing. This allows attackers with the <code>write:rules</code> role to inject malicious JavaScript code into rulesets, leading to arbitrary code execution on the server. The Groovy sandbox, intended as a security measure for Groovy rules, is rendered ineffective because the registration code is commented out. This lack of sandboxing, coupled with the ability of non-superusers to create JavaScript rulesets, creates a significant attack vector that can result in full server compromise. This vulnerability impacts all versions of the OpenRemote IoT platform prior to a patch.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious JavaScript payload designed to execute arbitrary code on the server, leveraging the <code>java.lang.Runtime</code> class.</li>
<li>The attacker authenticates to the OpenRemote platform with a user account that has the <code>write:rules</code> role.</li>
<li>The attacker sends an HTTP POST request to <code>/api/{realm}/rules/realm</code> with a JSON payload containing the malicious JavaScript code within the <code>rules</code> field and setting <code>lang</code> to <code>JAVASCRIPT</code>.</li>
<li>The <code>RulesResourceImpl.createRealmRuleset()</code> method receives the request and, due to the lack of validation for JavaScript rules, bypasses the intended Groovy-only restriction.</li>
<li>The malicious JavaScript code is then passed to the <code>RulesetStorageService.merge()</code> method and persisted in the <code>REALM_RULESET</code> table.</li>
<li>A Hibernate event listener is triggered, publishing a persistence event to a Camel SEDA topic.</li>
<li>The <code>RulesService</code> consumes this event and deploys the ruleset, triggering the execution of the attacker-controlled JavaScript code via <code>scriptEngine.eval(script, engineScope)</code> in <code>RulesetDeployment.java</code> L368.</li>
<li>The attacker achieves arbitrary code execution on the server, potentially leading to full server compromise, data exfiltration, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the OpenRemote server. This can lead to full system compromise, including the ability to steal sensitive data, modify system configurations, or use the compromised server as a launchpad for further attacks. The lack of authentication requirements beyond the <code>write:rules</code> role significantly increases the risk of exploitation. Given the platform's use in IoT environments, the impact could extend to control over physical devices and infrastructure managed by the OpenRemote platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided by OpenRemote immediately to address the expression injection vulnerabilities (reference: <a href="https://github.com/advisories/GHSA-7mqr-33rv-p3mp">https://github.com/advisories/GHSA-7mqr-33rv-p3mp</a>).</li>
<li>Monitor web server logs for POST requests to <code>/api/{realm}/rules/realm</code> containing <code>lang: &quot;JAVASCRIPT&quot;</code> in the request body, and investigate any suspicious activity (reference: webserver log monitoring).</li>
<li>Deploy the Sigma rule provided to detect the creation of JavaScript rulesets, and tune for your environment.</li>
<li>Implement strict input validation and output encoding for all user-supplied data to prevent expression injection attacks.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>openremote</category><category>expression-injection</category><category>remote-code-execution</category><category>iot</category></item></channel></rss>