在命令中使用的特殊元素转义处理不恰当（命令注入）

admin

0
文章

0
评论

2023-11-30 04:03:24 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危在命令中使用的特殊元素转义处理不恰当（命令注入）

CVE编号

CVE-2023-22496

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-01-14

漏洞描述

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. An attacker with the ability to establish a streaming connection can execute arbitrary commands on the targeted Netdata agent. When an alert is triggered, the function `health_alarm_execute` is called. This function performs different checks and then enqueues a command by calling `spawn_enq_cmd`. This command is populated with several arguments that are not sanitized. One of them is the `registry_hostname` of the node for which the alert is raised. By providing a specially crafted `registry_hostname` as part of the health data that is streamed to a Netdata (parent) agent, an attacker can execute arbitrary commands at the remote host as a side-effect of the raised alert. Note that the commands are executed as the user running the Netdata Agent. This user is usually named `netdata`. The ability to run arbitrary commands may allow an attacker to escalate privileges by escalating other vulnerabilities in the system, as that user. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, streaming is not enabled by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/netdata/netdata/security/advisories/GHSA-xg38-3vmw-2978

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	netdata	netdata	*		Up to (excluding) 1.37.0
	运行在以下环境
	系统	debian_10	netdata	*		Up to (including) 1.12.0-1+deb10u1
	运行在以下环境
	系统	debian_11	netdata	*		Up to (including) 1.29.3-4
	运行在以下环境
	系统	debian_12	netdata	*		Up to (excluding) 1.37.0-1
	运行在以下环境
	系统	debian_sid	netdata	*		Up to (excluding) 1.37.0-1