Command Execution via Arbitrary File Write in openPDC and openHistorian

November 2024

Vulnerability

Date Published: November 21, 2024

Affects: openPDC v2.9.318 and earlier, openHistorian v2.8.423 and earlier

Severity: Medium

Overview

A critical vulnerability has been identified in both openPDC and openHistorian, which allows an attacker with access to an authenticated user account to perform command execution by leveraging arbitrary file write. This flaw can potentially lead to the remote execution of arbitrary commands, allowing an attacker to execute unauthorized code on affected systems.

Vulnerability Details

The vulnerability occurs when a user exports any data into JSON format. The software mishandles inputs that can influences file write operations. This allows an attacker to specify arbitrary file paths and content, potentially enabling them to write executable files to the wwwRoot folder, enabling them to gain command execution privileges. The affected feature fails to properly validate or sanitize user-supplied paths, filenames, and file content which can lead to an unintended file being written to a location accessable via the build in webserver, triggering the ability for arbitrary code execution via http/https requests.

Impact

If successfully exploited, an attacker could:

Execute arbitrary commands on the target system with the privileges of the affected application.

Potentially gain remote control of the affected system, compromising its integrity, confidentiality, and availability.

The severity of this vulnerability depends on the application configuration, but it could lead to a full system compromise in the most critical scenarios.

Mitigation/Remediation

GPA is working on a patch to resolve the root cause of this Vulnerability. Once the patch is available GPA will update this notice to reflect the version number of the patch resolving this issue.

In the meantime the following actions can prevent an attacher from exploiting this vulnerability:

Restrict system permissions: Apply the principle of least privilege by ensuring that the openPDC and openHistorian services run with minimal privileges to reduce the impact of a successful attack.

Restrict write access to the wwwRoot folder: Apply read only permissions for the service accounts used by the application to the wwwRoot folder in the application installation folder. This prevents an attacker from exploiting the arbriatry file write vulnerability.

Ensure password complexity requirments are sufficent: In order to exploit this vulnerability an attacker needs access to an authenticated user account.

Monitor logs for unusual activity: Review system and application logs for signs of unauthorized file writes or attempts to exploit this vulnerability.

Fix Information

A patch addressing this vulnerability will be released shortly. We strongly recommend that you monitor updates from the Grid Protection Alliance for the availability of the security fix.

Disclaimer

The information provided in this advisory is provided "as is" and does not guarantee the security of systems. We strongly recommend that users apply patches as soon as they are available and follow best practices for securing systems against known vulnerabilities.