An alarming new vulnerability has been reported within OpenTSDB, the high-capacity Time Series Database (TSDB) that serves as the backbone for storing, indexing, and serving metrics from a wide array of systems. This includes operating systems, network gear, applications, and more. This vulnerability assigned the identifier CVE-2023-36812 and a severe Common Vulnerability Scoring System (CVSS) score of 9.8, opens the door for Remote Code Execution (RCE).
OpenTSDB’s RCE vulnerability allows malicious users to write their own input into the Gnuplot configuration file. Following this, the malefactor can run Gnuplot using the user-generated configuration, resulting in unauthorized remote code execution.
This risk is particularly concerning because OpenTSDB was designed to operate on a vast scale, collecting and managing data from a myriad of sources. This makes it a potentially juicy target for threat actors who could cause massive disruption by exploiting this vulnerability.
In response to this, patches have been issued in iterations 07c4641471c6f5c2ab5aab615969e97211eb50d9 and further refined in fa88d3e, marking a swift response from OpenTSDB developers. Users are encouraged to update their OpenTSDB installations to the latest versions as promptly as possible to ensure their systems remain secure.
In case immediate patching is not an option, workaround measures have been provided. These include disabling Gnuplot via setting ‘tsd.core.enable_ui’ to ‘true’ and removing the shell files [mygnuplot.bat and mygnuplot.sh] from the given locations in the OpenTSDB GitHub repository.
A noteworthy element of this new vulnerability is how it differs from a previous vulnerability identified as CVE-2020-35476. The latter issue pertained to OpenTSDB version 2.4.0. The patch issued for CVE-2020-35476 included restrictions that the new vulnerability, unfortunately, bypasses. This means the RCE vulnerability remained operational for version 2.4.1.
The discovery of CVE-2023-36812 serves as a stark reminder that even after patches and fixes are applied, new vulnerabilities can emerge, bypassing previously implemented security measures.
