Revolution Pi: Security Issues in Webstatus

Kunbus-2024-0000001: Security Issues in Webstatus

Publisher: Kunbus PSIRT Document category: csaf_security_advisory
Initial release date: 2024-09-19T10:00:00.000Z Engine: csaf-cms-backend 1.0.0
Current release date: 2024-09-19T10:00:00.000Z Build Date: 2024-09-19T08:04:21.902Z
Current version: 1.0.0 Status: final
CVSSv3.1 Base Score: 6.7 Severity: Important
Original language: Language: en-US
Also referred to:

Vulnerabilities

Authenticated Command Injection in Webstatus (CVE-2024-8684)

Description

The command execution of webstatus lacks proper input validation which leads to the ability to inject arbitrary commands for a user authenticated to the application. The commands are would be executed in the context of the low privileged www-data user. The main PHP file governing the behavior of the Revolution Pi administrative web application is vulnerable to command injection, allowing for arbitrary code execution as the low-privileged www-data user.

CWE: CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Known affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H 6.7
KUNBUS Revolution Pi webstatus <=2.4.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H 6.7
Fixed
  • KUNBUS Revolution Pi webstatus 2.4.2

Directory Traversal in Pictory (CVE-2024-8685)

Description

Pictory has a function to list directory contents. This is nessesary to provide the option to load configurations to the user. Due to insufficient input sanitation it was possible get directory listings of all directories the www-data user has access to and not only the data storage directory of the application. It was not possible to get the file contents with this vulnerability.

CWE: CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Known affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 2.7
KUNBUS Revolution Pi pictory < 2.1.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 2.7
Fixed
  • KUNBUS Revolution Pi pictory 2.1.1

Acknowledgments

Kunbus PSIRT thanks the following parties for their efforts:
  • Ethan Shackelford, Ehab Hussein from IOActive for Thanks for discovering and reporting the vulnerabilities.
  • INCIBE for Thanks for CVE assignment and coordination.

Kunbus PSIRT

Namespace: https://www.kunbus.com

product-security@kunbus.com

References

Revision history

Version Date of the revision Summary of the revision
1.0.0 2024-09-19T10:00:00.000Z Initial Publication

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/