Vulnerability Report

CVE-2020-26273

RCE

Title: Linuxfoundation Osquery RCE

RCE

Proof Of Concept

No public PoC currently indexed for CVE-2020-26273.

CWE Category CWE-77

Published Date Dec 16, 2020

Modified Date Nov 21, 2024

Exploit Status Not Found

Score 5.2 CVSS v3.1

Exploit Probability (EPSS)

0.23%

Vulnerability Summary

CVE-2020-26273: osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration.

Impacted Vendors

linuxfoundation 1

Reference Links

https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c https://github.com/osquery/osquery/releases/tag/4.6.0 https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c https://github.com/osquery/osquery/releases/tag/4.6.0 https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.2

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.2

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v2.0

Source Entity [email protected]

Severity LOW

3.6

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:L/AC:L/Au:N/C:P/I:P/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2020-26273 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

November 21, 2024 MODIFIED

Vulnerability data or affected products updated.

December 16, 2020 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector LOCAL

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected Stack

No specific products linked.