Skip to content

Remote Code Execution Vulnerability in File Upload Facility

Critical
jens-maus published GHSA-g7vv-7rmf-mff7 Mar 30, 2022

Package

RaspberryMatic (GitHub)

Affected versions

≤ 3.61.7.20220226

Patched versions

3.63.8.20220330

Description

A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Due to missing input validation/sanitization and the use of dangerous CGI functionality, the file upload mechanism allows remote unauthenticated attackers with network-wise access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string.

Impact

The vulnerability can be exploited via a simple HTTP request. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions starting from 2.31.25.20180428 until 3.61.7.20220226 are affected.

Patches

Users should update to RaspberryMatic version 3.63.8.20220330 or newer which integrates a fix for the aforementioned security issue.

Workarounds

There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.

Technical details

The file upload CGI script, designed as helper code for uploading firmware updates, is exposed via the WebUI interface of RaspberryMatic on port 80/443 (lighttpd) by default. The script fails to perform adequate input filtering on user-supplied data that is passed to a dangerous function which can be used to execute arbitrary shell code within the general root user context of the WebUI.

The security issue was fixed with commit 3485465.

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2022-24796

Weaknesses

Credits