{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/emissary/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Emissary"],"_cs_severities":["critical"],"_cs_tags":["emissary","command-injection","executrix","ghsa-3p24-9x7v-7789"],"_cs_type":"advisory","_cs_vendors":["Emissary"],"content_html":"\u003cp\u003eEmissary, a data processing framework, contains a critical OS command injection vulnerability in its \u003ccode\u003eExecutrix\u003c/code\u003e class. This flaw arises from the unsafe construction of shell commands where user-controlled configuration values, specifically \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e and \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e, are directly incorporated into a \u003ccode\u003e/bin/sh -c\u003c/code\u003e command string without proper sanitization or escaping. An attacker with the ability to modify place configurations can inject arbitrary shell commands by setting these configuration values to malicious sequences. The vulnerability, identified in Emissary versions up to 8.42.0-SNAPSHOT, requires no API or network access and is triggered when the affected place processes any payload. This framework-level defect poses a significant risk as it allows for unauthenticated remote code execution within the JVM's security context.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to modify the configuration of an Emissary \u0026quot;place\u0026quot;, typically through compromised credentials or a separate vulnerability allowing configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e or \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e configuration value for a vulnerable place (e.g., \u003ccode\u003eUnixCommandPlace\u003c/code\u003e) to a malicious string containing shell metacharacters, such as backticks for command substitution.\u003c/li\u003e\n\u003cli\u003eThe Emissary server is restarted or reloads the modified configuration, applying the attacker-controlled \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e or \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eA file is placed into the Emissary pickup directory, triggering the pipeline processing.\u003c/li\u003e\n\u003cli\u003eThe file is routed through the configured places, eventually reaching the place with the malicious \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e or \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExecutrix.getCommand()\u003c/code\u003e method constructs a shell command that includes the unsanitized \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e or \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e value. The injected shell metacharacters are interpreted by the shell.\u003c/li\u003e\n\u003cli\u003eThe constructed command is executed via \u003ccode\u003e/bin/sh -c\u003c/code\u003e, resulting in the attacker-specified commands being executed on the system with the privileges of the Emissary process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, potentially leading to data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary OS commands on the Emissary server, leading to full system compromise. The vulnerability affects all Emissary deployments where place configurations can be modified. The impact includes potential data breaches, malware installation, and complete control over the affected server. Given the nature of Emissary as a data processing framework, successful exploitation could allow attackers to compromise sensitive data being processed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eIN_FILE_ENDING\u003c/code\u003e and \u003ccode\u003eOUT_FILE_ENDING\u003c/code\u003e configuration parameters to prevent shell injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Emissary InfileEnding OutfileEnding Injection Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for shell metacharacters in configuration files.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify place configurations in Emissary, as this is the primary attack vector.\u003c/li\u003e\n\u003cli\u003eEnable DEBUG level logging in Emissary to expose the assembled shell command strings. This allows for forensic analysis and detection of injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-emissary-executrix-injection/","summary":"A vulnerability in Emissary's Executrix class allows for arbitrary OS command execution by injecting shell metacharacters into the IN_FILE_ENDING or OUT_FILE_ENDING configuration values, leading to code execution within the JVM's security context.","title":"Emissary Executrix OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-emissary-executrix-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Emissary","version":"https://jsonfeed.org/version/1.1"}