OpenTSDB Command Injection- CVE-2023-25826

Vendor Discription:-

OpenTSDB (Open Time Series Database) is an open-source, distributed, and scalable database designed specifically for storing, indexing, and serving time-series data (data indexed by time, such as server metrics, sensor readings, or application performance stats).

It was originally developed at StumbleUpon to handle massive amounts of monitoring data and is built on top of Apache HBase for distributed storage.

CVE-2023-25826 Description:-

Poor input validation in the legacy HTTP query API (/q endpoint) causes OpenTSDB to have a remote command injection vulnerability. This flaw is the result of an insufficient fix for a previously disclosed problem (CVE-2020-35476).

When a request is received, user-supplied parameters such as key, style, and smooth are wrongly validated before being passed to a graph-generating shell script. Because the present regex checks do not properly prevent malicious input, an attacker may submit counterfeit operating system commands into these fields. Once processed, the injected commands are executed on the host system with the OpenTSDB service’s privileges.

Impact:

Successful exploitation allows a remote attacker to execute arbitrary system commands, potentially leading to:

• Full system compromise of the OpenTSDB host.
• Data manipulation or destruction.
• Unauthorized access to sensitive environment data.

Mitigations:

• Update OpenTSDB to the latest patched release as soon as possible.
• Disable or restrict the legacy /q endpoint, which is the root of this issue.
• Limit network exposure by placing OpenTSDB behind firewalls or proxies.
• Run with least privilege, avoiding root execution to minimize impact.