Remote Code Execution in Device42 ApplianceManager console

Vulnerability

The db_optimize component in Device42 Asset Management Appliance (CMDB) versions 18.01.00 and prior contains an OS Command Injection vulnerability [1]. An authenticated attacker can exploit this to execute arbitrary operating system commands on the appliance.

Exploitation

Exploitation requires valid authentication to the Device42 appliance. The attacker sends crafted input to the db_optimize component, which improperly sanitizes user-supplied data before incorporating it into a system command. According to the Bitdefender research [1], similar command injection vulnerabilities exist in other components like the autodiscovery task, where a malicious payload is placed in the username field. The exact steps for db_optimize are not publicly detailed, but the attack vector is authenticated remote command execution.

Impact

Successful exploitation allows an attacker to achieve remote code execution with root privileges on the Device42 appliance [1]. This grants full access to the underlying operating system, including the database, configuration files, and the ability to pivot to other systems in the network.

Mitigation

Device42 released a fix in collaboration with Bitdefender [1]. Users should upgrade to a version later than 18.01.00 to remediate this vulnerability. The advisory recommends updating immediately to prevent exploitation [1]. No other workarounds are available. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.