OpenC3 COSMOS SQL Injection Vulnerability in Time-Series Database Component

A SQL injection vulnerability has been identified in OpenC3 COSMOS versions 6.7.0 prior to 7.0.0-rc3, specifically within the Time-Series Database (TSDB) component. The vulnerability arises because the 'tsdb_lookup' function in 'cvt_model.rb' directly incorporates user-supplied input into SQL queries without proper sanitization. This oversight allows users to manipulate the SQL statement and execute arbitrary SQL commands, including the deletion of data. The vulnerability has been patched in version 7.0.0-rc3.

Impact

Exploitation of this vulnerability allows for unauthorized SQL command execution in the TSDB, potentially leading to arbitrary data deletion. Additionally, according to the advisory, this vulnerability could be exploited to access and delete telemetry data.

Reproduction

To reproduce this vulnerability, send a request to the 'get_tlm_values' RPC endpoint with the 'start_time' variable crafted to include a SQL injection payload, such as '‘ OR 1=1 --'. This will exploit the SQL injection vulnerability, allowing the injection of arbitrary SQL commands into the TSDB.

Remediation

Users can update to OpenC3 COSMOS version 7.0.0-rc3 or later, where this vulnerability has been patched.