OpenC3 COSMOS Credential Leak Vulnerability

A credential leak vulnerability exists in OpenC3 COSMOS version 6.0.0, allowing attackers to access service credentials through environment variables stored in all containers. This vulnerability arises because the Docker containers run as root by default and the environment variables can be modified by users via the application’s web interface. Once altered, the variables can be exposed by rebooting the container, leading to a dump of all credentials, including those for other services.

Impact

Exploitation of this vulnerability results in unauthorized access to sensitive service credentials, which can be leveraged to compromise other services or systems.

Reproduction

The vulnerability can be reproduced by modifying the default scripts included with the OpenC3 COSMOS Script Runner tool. After removing the lines that unset the environment variables, the container can be rebooted, allowing all credentials to be dumped from the environment.

Remediation

It is recommended to remove unnecessary credentials from Docker containers, ensure that essential scripts are read-only and not modifiable by users, and restrict Docker containers from running as root by default.