OpenC3 COSMOS Script Runner API Privilege Escalation Vulnerability Allowing Unauthorized Administrative Actions
Vulnerability
A vulnerability exists in OpenC3 COSMOS versions prior to 7.0.0-rc3, within the Script Runner widget of the openc3-COSMOS-script-runner-api container. This vulnerability allows users to execute Python and Ruby scripts that can bypass API permission checks and perform administrative tasks. Exploitation of this vulnerability enables unauthorized access to the Redis database, where sensitive information such as secrets and COSMOS configuration settings can be read or modified. Additionally, the vulnerability allows manipulation of the buckets service, which stores configuration, log, and plugin files. These administrative actions are typically restricted to the Admin Console or require elevated privileges. The vulnerability arises from the Script Runner's ability to execute scripts that exploit the shared network environment of the Docker containers, potentially leading to unauthorized access and modification of critical application data.
Impact
Exploitation of this vulnerability could result in unauthorized administrative access, allowing affected users to manipulate COSMOS settings, access and modify data within the Redis database, and interact with the buckets service, which contains important configuration, log, and plugin files.
Reproduction
To reproduce this vulnerability, first execute a Ruby script in the Script Runner widget to extract the Redis credentials from the environment variables. Then, use a Python script to connect to the Redis database using the extracted credentials. Once connected, the script can be used to create a new entry in the Redis database, demonstrating the ability to manipulate data. Additionally, the same Python script can be modified to change COSMOS plugin settings by writing to the appropriate configuration files, further illustrating the impact of the vulnerability.
Remediation
Users can update to OpenC3 COSMOS version 7.0.0-rc3 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.