SmartBI RMIServlet Unrestricted File Upload Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in SmartBI versions 8 (prior to July 2023), 9 (through July 2023), and 10 (through July 2023). This vulnerability arises from an unrestricted file upload issue in the RMIServlet request handling. Under certain conditions, attackers can exploit this flaw by sending specially crafted requests that the application processes in a way that executes arbitrary code on the host. The vulnerability has been observed being targeted by the Rondo botnet.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host where SmartBI is running.

Reproduction

To reproduce this vulnerability, upload a file through the RMIServlet endpoint. The uploaded file can be crafted to include malicious code. Once the file is uploaded, the application may execute the code, depending on the file type and the application's handling of it.

Remediation

SmartBI has released a security update to address this vulnerability. Users are advised to upgrade to the latest version. For those unable to update, it is recommended to configure the application's security settings to allow access only from trusted sources.