CVE-2019-10786

Vulnerability

Overview The network-manager npm package through version 1.0.2 is vulnerable to command injection. The runCommand() function in common.js is called by getDevices() in linux/manager.js, which is required by the package's index. The environment variable process.env.NM_CLI is used to construct the argument for execSync() without any sanitization, allowing attackers to inject arbitrary commands [1][2].

Exploitation

Method An attacker can exploit this vulnerability by controlling the NM_CLI environment variable. For example, setting process.env.NM_CLI = 'echo vulnerable > create.txt & nmcli' and then calling root.getDevices() will result in the execution of the injected command. No authentication is required if an attacker can set the environment variable before the module is loaded [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary commands on the system where the vulnerable package is used. The injected command runs with the privileges of the Node.js process, which could lead to full system compromise depending on the application context [1][2].

Mitigation

Status As of the advisory publication (February 2020), there is no fixed version available for the network-manager package. Users should consider replacing the package with an alternative or implementing strict controls over the NM_CLI environment variable to prevent injection [1].