Vulnerability Spotlight: Command injection bug in Exhibitor UI

_
_Logan Sanderson of Cisco ASIG discovered this vulnerability. Blog by Jon Munshaw.

Exhibitor Web UI contains an exploitable command injection vulnerability in its Config editor. Exhibitor is a ZooKeeper supervisory process. Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper.

Per Cisco’s vulnerability disclosure policy, we are publishing the details of this vulnerability without a patch from Exhibitor after a set deadline.

Vulnerability details

Exhibitor UI command injection vulnerability (TALOS-2018-0790/CVE-2019-5029)

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that versions 1.0.9 through 1.7.1 of Exhibitor Web UI are affected by these vulnerabilities.

Coverage

The following SNORTⓇ rule will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 49239