Its purpose is to gather, store, and present metrics from diverse computer systems (such as network equipment, operating systems, and applications) in easily interpretable data graphs.
The critical vulnerability in OpenTSDB is related to the Gnuplot Configuration File Handler component and allows for injection attacks, according to a recent advisory by Vulmon.
“Affected by this vulnerability is an unknown function of the component Gnuplot Configuration File Handler. The manipulation with an unknown input leads to an injection vulnerability,” said the advisory.
The Common Weakness Enumeration (CWE) has categorized this vulnerability as CWE-74.
Critical vulnerability in OpenTSDB: Deep Dive
This critical vulnerability in OpenTSDB can be exploited to achieve remote code execution, which could have severe consequences for affected systems.
The vulnerability was publicly disclosed on July 1, 2023, and has been assigned the identifier GHSA-76f7-9v52-v2fw.
The associated Common Vulnerabilities and Exposures (CVE) identifier is CVE-2023-36812, assigned on June 27, 2023.
The preliminary OSINT and deep web investigations conducted by The Cyber Express showed that no public exploit has been detected, and the technical details of the vulnerability remain undisclosed.
The OpenTSDB development team has promptly addressed the issue by releasing patches in commit 07c4641471c and further refining them in commit fa88d3e4b.
These patches are included in the latest release, version 2.4.2, which is recommended for all users. Upgrading to version 2.4.2 effectively eliminates the vulnerability and ensures the secure operation of OpenTSDB.
Users who are unable to upgrade immediately have two workarounds available. They can disable the vulnerable Gnuplot functionality by setting the configuration option tsd.core.enable_ui to “true.”
Additionally, they should remove the shell files mygnuplot.bat and mygnuplot.sh from their OpenTSDB installations, suggested the Vulmon advisory.
Vulnerability in OpenTSDB: Common patterns
The security issue arises from OpenTSDB’s construction of a command, data structure, or record using externally-influenced input from an upstream component.
However, the software fails to properly neutralize special elements that could modify how the input is parsed or interpreted when it reaches a downstream component.
It is important to note that this particular vulnerability in OpenTSDB 2.4.1 differs from a previously reported vulnerability, CVE-2020-35476.
The earlier CVE pertains to version 2.4.0 and can be bypassed by the exploit discussed here, allowing remote code execution to occur successfully in OpenTSDB version 2.4.1.
Synopsys researchers in March disclosed that insufficient patching of this vulnerability resulted in another vulnerability, CVE-2023-25826.
The discovery of the latest Critical vulnerability in OpenTSDB have been credited to researchers Gal Goldstein and Daniel Abeles from Oxeye, who promptly reported the issue to the OpenTSDB development team.
Users of OpenTSDB 2.4.1 are strongly advised to upgrade to version 2.4.2 or implement the provided workarounds as soon as possible to mitigate the risks associated with this critical vulnerability.
The patched version and further details can be found on the OpenTSDB GitHub repository at github.com.
The Synopsys Cybersecurity Research Center (CyRC) in May identified two critical vulnerabilities in OpenTSDB: a remote command execution flaw (CVE-2023-25826) and a reflected cross-site scripting (XSS) vulnerability (CVE-2023-25827).
The researchers found that CVE-2023-25826 resulted from incomplete validation of parameters passed to the legacy HTTP query API, enables the injection of crafted OS commands.
This vulnerability bypassed the validation measures implemented following the patch for CVE-2020-35476.
The regex validation designed to restrict input fails to function correctly, allowing the execution of malicious code on the OpenTSDB host system.
Attackers could exploit CVE-2023-25826 by injecting crafted system commands into the ‘key’, ‘style’, and ‘smooth’ parameters of the legacy HTTP query API.
“When a request is submitted, parameters are passed to a graph generation shell script where included commands will be executed,” the report said.