https://feed.craftedsignal.io/tags/cosmos/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 14:12:02 +0000https://feed.craftedsignal.io/briefs/2024-01-09-openc3-sql-injection/Thu, 23 Apr 2026 14:12:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-openc3-sql-injection/A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS, allowing an authenticated remote user to execute arbitrary SQL commands, including telemetry data disclosure and deletion.A SQL injection vulnerability has been identified in the OpenC3 COSMOS Time-Series Database (TSDB) component, which utilizes QuestDB. The vulnerability resides within the tsdb_lookup function in the cvt_model.rb file, where user-supplied input is directly incorporated into SQL queries without proper sanitization. An authenticated attacker with “tlm” permissions, which includes Admin, Operator, Viewer, or Runner roles, can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or deletion within the TSDB. The affected versions are OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Successful exploitation allows attackers to compromise the confidentiality, integrity, and availability of telemetry data stored within the COSMOS system.

Attack Chain

1. An attacker authenticates to the COSMOS system with a role that possesses “tlm” permissions (Admin, Operator, Viewer, or Runner).
2. The attacker crafts a malicious JSON-RPC request targeting the get_tlm_values endpoint.
3. Within the request body, the attacker injects a SQL payload into the start_time parameter, such as ' OR 1=1 --.
4. The tsdb_lookup function incorporates the unsanitized input into a SQL query.
5. The injected SQL payload manipulates the query logic, allowing the attacker to bypass intended restrictions.
6. The attacker can then exfiltrate all telemetry data within the database by manipulating the SQL query.
7. The attacker modifies the SQL payload to execute arbitrary commands, such as DROP TABLE statements.
8. The attacker successfully deletes historical data from the database, impacting data availability and system integrity.

Impact

Successful exploitation of this SQL injection vulnerability allows an attacker to perform unauthorized actions on the OpenC3 COSMOS Time-Series Database (TSDB). An attacker with “tlm” permissions can disclose sensitive telemetry data, modify existing data, or delete data altogether. The vulnerability impacts systems running OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Depending on the role of the compromised account and the specific SQL commands executed, an attacker could potentially cause significant disruption to operations relying on the integrity and availability of telemetry data.

Recommendation

• Upgrade the rubygems/openc3 package to version 7.0.0-rc3 or later to remediate the SQL injection vulnerability.
• Implement input sanitization on user-supplied data within the tsdb_lookup function in cvt_model.rb to prevent SQL injection attacks.
• Deploy the Sigma rule “Detect Suspicious OpenC3 Telemetry Requests” to identify potential exploitation attempts targeting the get_tlm_values endpoint.
• Review and restrict “tlm” permissions to the get_tlm_values RPC endpoint according to the principle of least privilege, limiting access to only those users who require it.

]]>criticaladvisorysql-injectionopenc3cosmosquestdbtelemetryhttps://feed.craftedsignal.io/briefs/2024-11-openc3-cosmos-bypass/Fri, 08 Nov 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-openc3-cosmos-bypass/The OpenC3 COSMOS Script Runner widget allows authenticated users to bypass API permissions checks and execute administrative actions by running specially crafted Python and Ruby scripts, leading to data manipulation and privilege escalation.The openc3-COSMOS-script-runner-api container includes a Script Runner widget that enables users to execute Python and Ruby scripts. A vulnerability exists where users with script execution privileges can bypass API permission checks due to shared networking among Docker containers. This bypass allows unauthorized administrative actions such as reading and modifying data within the Redis database, which can lead to the exposure of sensitive credentials and alteration of COSMOS settings. Attackers can also read and write to the buckets service, affecting configuration, logs, and plugins. The vulnerability affects versions prior to 7.0.0-rc3 of the rubygems/openc3 package, posing a significant risk to data integrity and system security. Any authenticated user with script execution capabilities can exploit this flaw to connect to any service within the Docker network, escalating their privileges and gaining control over critical system components.

Attack Chain

1. An attacker logs into the OpenC3 COSMOS platform with a valid, non-administrative user account that has access to the Script Runner widget.
2. The attacker crafts a Ruby script to extract Redis credentials (username, password, hostname, port) by querying the environment variables within the openc3-COSMOS-script-runner-api container using a command like puts \env | grep redis``.
3. The attacker executes the Ruby script within the Script Runner widget, successfully retrieving the Redis credentials, which are then displayed in the script’s output.
4. The attacker crafts a Python script using the obtained Redis credentials to connect to the Redis database. The script is designed to create a new entry or modify an existing one. For example, r.hset('openc3__settings_hacked','store_url',json.dumps(setting_data))
5. The attacker executes the Python script within the Script Runner widget, successfully adding or modifying data in the Redis database, bypassing normal permission controls.
6. The attacker leverages the ability to write to the buckets service to modify critical system configuration files, such as the plugin store URL, by uploading a malicious file via a Python or Ruby script.
7. The attacker verifies the changes by using redis-cli to confirm the new data was added to the Redis database, or by observing the altered behavior of the system due to the modified configuration files.
8. The attacker gains complete control over the OpenC3 COSMOS environment by exploiting modified settings, potentially leading to data exfiltration, service disruption, or further lateral movement within the network.

Impact

Successful exploitation of this vulnerability allows unauthorized data disclosure and manipulation within the OpenC3 COSMOS environment. An attacker can access sensitive information such as Redis credentials, modify system settings, and alter configuration files, leading to privilege escalation. The number of affected installations is currently unknown, but the vulnerability poses a significant risk to organizations using OpenC3 COSMOS, potentially resulting in complete system compromise and loss of data integrity. The vulnerability allows unauthorized access to data and functionality typically restricted to administrators, bypassing intended security controls.

Recommendation

• Upgrade the rubygems/openc3 package to version 7.0.0-rc3 or later to remediate the vulnerability (reference: rubygems/openc3 v7.0.0-rc3).
• Implement network segmentation to isolate the openc3-COSMOS-script-runner-api container from other critical services like Redis, limiting the blast radius of potential attacks.
• Deploy the Sigma rule to detect the execution of suspicious scripts within the Script Runner widget that attempt to access Redis or modify configuration files.
• Monitor process creation events within the openc3-COSMOS-script-runner-api container for commands such as env | grep redis or any calls to redis-cli which is abnormal behavior, and create alerts (reference: process_creation log source).

]]>criticaladvisoryopenc3cosmosscript-runnerpermissions-bypassprivilege-escalation