{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/permissions-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openc3"],"_cs_severities":["critical"],"_cs_tags":["openc3","cosmos","script-runner","permissions-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eThe openc3-COSMOS-script-runner-api container includes a Script Runner widget that enables users to execute Python and Ruby scripts. A vulnerability exists where users with script execution privileges can bypass API permission checks due to shared networking among Docker containers. This bypass allows unauthorized administrative actions such as reading and modifying data within the Redis database, which can lead to the exposure of sensitive credentials and alteration of COSMOS settings. Attackers can also read and write to the buckets service, affecting configuration, logs, and plugins. The vulnerability affects versions prior to 7.0.0-rc3 of the rubygems/openc3 package, posing a significant risk to data integrity and system security. Any authenticated user with script execution capabilities can exploit this flaw to connect to any service within the Docker network, escalating their privileges and gaining control over critical system components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into the OpenC3 COSMOS platform with a valid, non-administrative user account that has access to the Script Runner widget.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Ruby script to extract Redis credentials (username, password, hostname, port) by querying the environment variables within the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container using a command like \u003ccode\u003eputs \\\u003c/code\u003eenv | grep redis``.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Ruby script within the Script Runner widget, successfully retrieving the Redis credentials, which are then displayed in the script\u0026rsquo;s output.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Python script using the obtained Redis credentials to connect to the Redis database. The script is designed to create a new entry or modify an existing one. For example, \u003ccode\u003er.hset('openc3__settings_hacked','store_url',json.dumps(setting_data))\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Python script within the Script Runner widget, successfully adding or modifying data in the Redis database, bypassing normal permission controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to write to the buckets service to modify critical system configuration files, such as the plugin store URL, by uploading a malicious file via a Python or Ruby script.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the changes by using \u003ccode\u003eredis-cli\u003c/code\u003e to confirm the new data was added to the Redis database, or by observing the altered behavior of the system due to the modified configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the OpenC3 COSMOS environment by exploiting modified settings, potentially leading to data exfiltration, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized data disclosure and manipulation within the OpenC3 COSMOS environment. An attacker can access sensitive information such as Redis credentials, modify system settings, and alter configuration files, leading to privilege escalation. The number of affected installations is currently unknown, but the vulnerability poses a significant risk to organizations using OpenC3 COSMOS, potentially resulting in complete system compromise and loss of data integrity. The vulnerability allows unauthorized access to data and functionality typically restricted to administrators, bypassing intended security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erubygems/openc3\u003c/code\u003e package to version 7.0.0-rc3 or later to remediate the vulnerability (reference: rubygems/openc3 v7.0.0-rc3).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container from other critical services like Redis, limiting the blast radius of potential attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of suspicious scripts within the Script Runner widget that attempt to access Redis or modify configuration files.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events within the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container for commands such as \u003ccode\u003eenv | grep redis\u003c/code\u003e or any calls to \u003ccode\u003eredis-cli\u003c/code\u003e which is abnormal behavior, and create alerts (reference: process_creation log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-08T12:00:00Z","date_published":"2024-11-08T12:00:00Z","id":"/briefs/2024-11-openc3-cosmos-bypass/","summary":"The OpenC3 COSMOS Script Runner widget allows authenticated users to bypass API permissions checks and execute administrative actions by running specially crafted Python and Ruby scripts, leading to data manipulation and privilege escalation.","title":"OpenC3 COSMOS Script Runner Permissions Bypass","url":"https://feed.craftedsignal.io/briefs/2024-11-openc3-cosmos-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Permissions-Bypass","version":"https://jsonfeed.org/version/1.1"}