Vulnerabilities could be leveraged for full RCE on Cockpit instances using MongoLite

Cockpit CMS flaws exposed web servers to NoSQL injection exploits

Developers of Cockpit CMS, an open source content management system, have patched two security vulnerabilities following a disclosure by researchers at PT Swarm.

The vulnerabilities could allow a remote, unauthenticated attacker to execute code on a server running Cockpit in some configurations, specifically limited to those running MongoLite.

“A chain of vulnerabilities [could] lead to remote code execution and, as a result, compromise the host on which the application is running,” Nikita Petrov, security researcher at Positive Technologies, told The Daily Swig.

PT Swarm, the security research arm of Positive Technologies, looked into potential vulnerabilities after finding a Cockpit CMS instance on a customer’s perimeter in the course of a penetration test, according to Petrov.

Cockpit is a “headless” content management system, or CMS, focused on using APIs to distribute structured content across multiple platforms, including the web but also IoT devices. The CMS works with either SQLite or MongoDB databases.

What the pen testers found

Petrov’s team at PT Swarm found that attackers could exploit vulnerabilities in the Cockpit source code to perform a range of attacks including taking control of any user account and extracting password reset tokens.

The two vulnerabilities were each given a ‘critical’ CVSS rating of 9.8.

The first flaw, CVE-2020-35846, allows NoSQL injection attack via the Controller/Auth.php check function, and CVE-2020-35847 via the Controller/Auth.php resetpassword function. This, Petrov says, allows account takeover and remote code execution in the MongoLite library.

PT Swarm recommends that all Cockpit users update to the latest version, 0.12.0 or above, immediately.

YOU MIGHT ALSO LIKE Cisco router flaws left small business networks open to abuse

Cockpit developer Artur Heinze told The Daily Swig that PT Swarm notified him of the vulnerabilities, and a patched version of the CMS was released within a day. But only some Cockpit installations are at risk.

“The described vulnerabilities are only related to Cockpit instances using MongoLite, SQLite-based MongoDB implementation for small projects, as its data source,” he said. “MongoDB based Cockpit Instances were never affected.”

Nonetheless, organizations using Cockpit should check and update their installations.

NoSQL injection

The nature of Cockpit – and other ‘headless CMS’ software – mean that the systems might be installed and then largely left to work in the background.

Headless CMS builds serve up content to devices or applications, typically via RESTful APIs, rather than to web pages, and therefore might be missed by some security checks.

“The main area of concern with the Cockpit CMS vulnerability is that this leaves users open to a host of NoSQL injection vulnerabilities, which in turn risk remote code execution,” Josh Hickling, web application security consultant at Pentest People, told The Daily Swig.

Read more of the latest infosec research from around the world

“Using SQL injection to achieve these goals is seen time and time again, however, with the rise of NoSQL database engines, new attack techniques are being employed.”

Hickling added: “Should users fail to patch the currently vulnerable versions of Cockpit CMS, an unauthenticated attacker would be able to compromise the application and escalate privileges to an administrative user, in turn leading to remote code execution via uploading a web shell to the application’s ‘finder’ functionality. This poses large privacy and integrity concerns.”

Check out OWASP documentation (PDF) for more on NoSQL injection

RECOMMENDED When vulnerability disclosure goes sour: New GitHub repo details legal threats and risks faced by ethical hackers