Executive Summary

This vulnerability is an authenticated OS command injection flaw in the Vertex application's log viewer feature. It occurs because user input from the 'type' parameter in the log viewer endpoint is passed directly into a shell command without proper validation or escaping. Specifically, the application uses this input to construct a command like 'tail -n 2000 ${logFile}' via execSync(), allowing attackers to inject arbitrary commands that execute on the server.

An attacker can exploit this vulnerability remotely by sending a crafted GET request with malicious payloads in the 'type' parameter, such as '/api/log/get?type=$(touch%20/tmp/poc)', which executes arbitrary commands on the server. The application also lacks CSRF protections, enabling attackers to trick authenticated administrators into triggering the attack by visiting a malicious link.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with authenticated access to execute arbitrary operating system commands on the server hosting the Vertex application. This can lead to unauthorized access, data theft, data manipulation, service disruption, or complete system compromise.

Because the attack can be triggered remotely and the application lacks CSRF protections, attackers can potentially exploit this vulnerability by tricking an authenticated administrator into visiting a malicious link, increasing the risk of exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the vertex-app log viewer endpoint is vulnerable to OS command injection via the 'type' parameter in the URL query.

A practical detection method is to send a crafted GET request to the log viewer endpoint with a payload that attempts to execute a harmless command, such as creating a file on the server.

• Example command to test the vulnerability: curl -i "http://<target>/api/log/get?type=$(touch /tmp/poc)"
• After sending the request, check the server for the presence of the file /tmp/poc to confirm command execution.

Since the vulnerability requires authentication and the application lacks CSRF protections, detection should be performed with valid credentials or by simulating an authenticated session.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and best mitigation step is to apply the official patch identified by commit 805d82e7100d49b79b3beb1b9420e8e458987198.

This patch replaces the vulnerable execSync calls with spawnSync, adds input validation to ensure only supported log types are processed, verifies the existence of log files before reading, and includes proper error handling.

Additionally, the patch updates session cookie settings to include the sameSite attribute set to 'lax' to help prevent CSRF attacks.

Until the patch is applied, restrict access to the log viewer endpoint to trusted users only and monitor for suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary OS commands remotely via the log viewer endpoint due to improper input validation and command injection. This can lead to unauthorized access, data manipulation, or disruption of services.

Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

However, the provided information does not explicitly describe the direct impact on compliance or mention specific regulatory requirements.

Useful 0 Not Useful 0