Dynatrace ActiveGate Ping Extension OS Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in the Dynatrace ActiveGate ping extension, affecting versions prior to 1.016. This vulnerability allows for OS command injection via a crafted IP address. The ping extension utilizes the Windows command prompt to execute ping commands. The input field for the Test Target Host can accept up to 1024 characters, enabling the injection of additional commands for ActiveGate to execute by appending an '&' after the IP address.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the host where Dynatrace ActiveGate is running.
Reproduction
To reproduce this vulnerability, input a crafted IP address into the Test Target Host field of the Dynatrace ActiveGate ping extension. After the IP address, append additional commands using an '&' to execute arbitrary commands on the Windows command prompt. The ping extension will process the input, leading to command execution on the host.
Remediation
Users are advised to update to Dynatrace ActiveGate ping extension version 1.016 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.