<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Systeminformation (&lt;= 5.31.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/systeminformation--5.31.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 23:12:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/systeminformation--5.31.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>OS Command Injection Vulnerability in systeminformation Library via networkInterfaces()</title><link>https://feed.craftedsignal.io/briefs/2026-07-os-command-injection-systeminformation/</link><pubDate>Wed, 15 Jul 2026 23:12:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-os-command-injection-systeminformation/</guid><description>A high-severity OS command injection vulnerability, CVE-2026-50289, exists in the `systeminformation` Node.js library on Linux systems, allowing an attacker who can manipulate `interfaces(5)` configuration files to execute arbitrary commands with the privileges of the calling Node.js process by injecting shell metacharacters into `source` directive paths, which are then unsafely interpolated into an `execSync()` command within the `networkInterfaces()` function.</description><content:encoded><![CDATA[<p>The <code>systeminformation</code> Node.js library, specifically versions up to and including 5.31.6, is affected by CVE-2026-50289, a high-severity OS command injection vulnerability on Linux systems, particularly Debian/Ubuntu variants utilizing <code>interfaces(5)</code>. The <code>networkInterfaces()</code> function insecurely handles paths specified in <code>source</code> directives within <code>/etc/network/interfaces</code> and transitively sourced files. When processing these configuration files to collect DHCP state, the library extracts paths from <code>source</code> lines and interpolates them, unquoted, into a shell command string executed via <code>execSync()</code>. This allows an attacker capable of placing or influencing a malicious <code>source</code> path to inject shell metacharacters, leading to arbitrary command execution. This vulnerability presents a significant risk to applications using <code>systeminformation</code> as local inventory, monitoring, or admin-dashboard backends, as successful exploitation grants the attacker command execution with the privileges of the Node.js process.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains the ability to write to or influence the content of <code>/etc/network/interfaces</code> or any file transitively <code>source</code>d by it. This could be a lower-privileged process, a configuration management hook, or a tool that materializes interface snippets from semi-trusted input.</li>
<li>The attacker inserts a <code>source</code> directive into one of these configuration files, where the path contains shell metacharacters (e.g., <code>/dev/null;id&gt;${marker};echo</code>).</li>
<li>A Node.js application, running on the vulnerable Linux system, invokes the <code>systeminformation</code> library's <code>networkInterfaces()</code> function (or <code>getStaticData()</code>, <code>getAllData()</code>).</li>
<li>The <code>networkInterfaces()</code> function on Linux calls <code>getLinuxDHCPNics()</code>, which in turn calls <code>checkLinuxDCHPInterfaces('/etc/network/interfaces')</code>.</li>
<li>Inside <code>checkLinuxDCHPInterfaces()</code>, the function reads the content of the <code>interfaces</code> file using <code>cat ${file} ...</code>. The <code>source</code> directive's malicious path is read and passed as the <code>file</code> argument for a recursive call to <code>checkLinuxDCHPInterfaces()</code>.</li>
<li>In the recursive call, the new malicious <code>file</code> path is unquotedly interpolated into another <code>cat ${file} 2&gt; /dev/null | grep 'iface\\|source'</code> shell command.</li>
<li>The injected shell metacharacters (<code>/dev/null;id&gt;${marker};echo</code> for example) break out of the intended <code>cat</code> command, leading to the execution of arbitrary commands (e.g., <code>id</code>) with the privileges of the Node.js process.</li>
<li>The attacker achieves command execution, potentially elevating privileges or performing further malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50289 leads to arbitrary command execution on the affected Linux system. Any process that calls <code>networkInterfaces()</code>, often found in local inventory agents, monitoring and diagnostics agents, admin-dashboard backends, or device-management software, is vulnerable. If these Node.js processes run with elevated privileges (e.g., as root), the injected commands will also execute with those elevated privileges, potentially leading to full system compromise. The vulnerability is easily triggered through ordinary usage of core <code>systeminformation</code> APIs, making it a critical risk for systems running vulnerable versions. The attacker gains the ability to run any command, potentially installing backdoors, exfiltrating data, or disrupting services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-50289 immediately</strong>: Update <code>systeminformation</code> to a version greater than 5.31.6 to remediate CVE-2026-50289.</li>
<li><strong>Monitor for suspicious <code>sh</code> or <code>bash</code> process creations</strong>: Deploy the <code>Detect CVE-2026-50289 Exploitation - Suspicious Shell Execution</code> Sigma rule to your SIEM.</li>
<li><strong>Enable process creation logging</strong>: Ensure <code>process_creation</code> logging (e.g., Sysmon on Linux, Auditd) is enabled for Linux systems to capture shell command executions and their arguments.</li>
<li><strong>Restrict write access to network configuration files</strong>: Limit write permissions to <code>/etc/network/interfaces</code> and related directories (<code>/etc/network/interfaces.d/</code>) to only authorized administrators or processes to prevent attackers from injecting malicious <code>source</code> directives.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>os-command-injection</category><category>systeminformation</category><category>nodejs</category><category>linux</category><category>exploitation</category></item></channel></rss>