openITCOCKPIT Blog

openITCOCKPIT 3.7.3 released

23.03.2020

Today we proudly released the next version of openITCOCKPIT 3.7.3.

With this release we resolve critical security vulnerabilities. Update your system soon!

Resolved security vulnerabilities

Dejan Zelic from Offensive Security found and reported some critical security vulnerabilities within openITCOCKPIT.

The following issues will be resolved by updating to openITCOCKPIT 3.7.3

Impact CVE ID Vulnerability Summary
High CVE-2020-10789 ITC-2321 Code injection: The input of the embedded terminal is not getting properly escaped which lead to remote code execution.
High CVE-2020-10788 ITC-2322 Static WebSocket key: The key used by the WebSocket server to avoid unauthenticated access is the same on all openITCOCKPIT installations.
High CVE-2020-10790 ITC-2324 Cross-site scripting: openITCOCKPIT grant access to unnecessary files in the webroot directory which could be affected by an XSS security issue.
High CVE-2020-10792 ITC-2325 Ability to trick server into running in development mode: By manipulating the Host header in the HTTP request it was possible to enable debug mode. This could lead to unwanted output of sensitive data.
Medium CVE-2020-10791 ITC-2168 Server-side request forgery: The Test Connection feature of the Grafana Module can now be completly disabled throuth the user role permission testGrafanaConnection.

Many thanks to Dejan Zelic and Offensive Security for reporting this!


Have you also discovered a security breach? Please don’t hesitate to contact us.


Additional information

Code injection

The embedded terminal was vulnerable to remote code execution. For this reason the terminal and all its related code got removed.

Static WebSocket key

To keep your system save please generate a new WebSocket key by executing the following commands as root user.

WEBSOCKET_KEY=$(php -r "echo bin2hex(openssl_random_pseudo_bytes(80, \$cstrong));")

mysql "--defaults-extra-file=/etc/openitcockpit/mysql.cnf" -e "UPDATE systemsettings SET \`systemsettings\`.\`value\`='${WEBSOCKET_KEY}' WHERE \`key\`='SUDO_SERVER.API_KEY';"

openitcockpit-update

All changes are available in the changelog.

How to update

In one of our previous articles we described how to update an installation of openITCOCKPIT in detail. If you are already familiar with our update process, you can update to the new version in three easy steps:

tmux
sudo apt-get update
sudo apt-get dist-upgrade

Your openITCOCKPIT Team!