CVE-2022-21810

Vulnerability

Overview

The smartctl npm package, in all versions, is vulnerable to command injection through its info method [1]. The root cause is improper sanitization of user-supplied input before it is passed to system commands that execute the smartctl binary [2]. Specifically, the info method does not validate or escape device name parameters, allowing an attacker to inject arbitrary shell commands via special characters such as semicolons [3].

Attack

Vector

An attacker can exploit this vulnerability by providing a crafted device string to the info method. For example, passing a value like ;touch EXPLOITED; results in execution of the touch EXPLOITED command in addition to the intended smartctl command [3]. The attack does not require authentication beyond access to the application's API or interface that passes user input to the info method. Since the package is designed for Node.js applications that interact with SMART data, any application using the vulnerable method with user-controllable input is at risk [2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This can lead to full compromise of the application and underlying system, including data exfiltration, installation of backdoors, or lateral movement within the infrastructure [3]. The vulnerability is rated with a high CVSS score due to the ease of exploitation and severe consequences [1].

Mitigation

Status

As of the disclosure date (January 2023), there is no fixed version of the smartctl package available [3]. The package appears to be unmaintained or abandoned, leaving users with no official patch. Mitigation strategies include sanitizing all input before passing it to the info method, avoiding the use of the package, or replacing it with an alternative library. It is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.