Thermo Fisher Torrent Suite Django Application Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Thermo Fisher Torrent Suite Django application version 5.18.1. This vulnerability arises from inadequate input validation in the network configuration feature, allowing administrators to unintentionally execute arbitrary commands. The issue occurs when user-supplied data is processed through administrative endpoints and written directly to environment variables via Bash scripts, which then execute a source command that can be exploited to run malicious commands.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server.

Reproduction

To reproduce this vulnerability, an administrator must access the /admin/network endpoint and provide network configuration parameters that include malicious payloads. The application will then process this input, update the environment variables through the TSsetnoproxy and TSsetproxy scripts, and execute the sourced command, leading to arbitrary command execution on the server.

Remediation

Users are advised to review their network configuration and security settings, ensuring that Torrent Suite software is not connected to the public Internet without a firewall. Default credentials should be changed, and the application should be secured behind a properly configured network perimeter to prevent unauthorized access.