CVE-2018-20053

Vulnerability

The vulnerability is a command injection in the hostname, timezone, and NTP server configuration fields of Cerner Connectivity Engine (CCE) 4 devices. An unauthenticated attacker can send a specially crafted configuration file over the network to trigger the injection. Affected versions are CCE 4 firmware builds prior to December 2018 [1].

Exploitation

An attacker does not require authentication; they can send a crafted configuration file over the network. The configuration file contains malicious commands in the hostname, timezone, or NTP server fields. The CCE device processes the file and executes the injected commands without any user interaction [1].

Impact

Successful exploitation allows remote code execution with the privileges of the unprivileged user running the main CCE firmware. Additionally, the advisory notes that this user has NOPASSWD sudo privileges to several utilities, which could be used to escalate privileges to root (CVE-2018-20052) [1].

Mitigation

The vendor released a firmware update after December 2018. Users should update to any firmware version released after 12/2018. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog as of this writing [1].