CVE-2024-28892

Vulnerability

Description

GoCast 1.1.3 contains an OS command injection vulnerability in the name parameter used to create loopback interface labels [1]. The addLoopback function in system.go constructs an ip address command by directly embedding the user-supplied name into the label, without sanitization [3][4]. Although the label is truncated to 15 characters (leaving only 12 characters for the injection due to the "lo:" prefix), this is sufficient to inject arbitrary commands [3][4].

Attack

Vector

The vulnerability can be triggered via an unauthenticated HTTP request to the registration endpoint (e.g., /register?name=) [3][4]. The HTTP API is enabled by default with no authentication, making it accessible to any network attacker [3]. Additionally, exploitation may be possible through configuration files or Consul integration [3]. No special privileges or user interaction are required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the GoCast process, typically leading to complete system compromise [1][3][4]. The CVSS v3.1 score is 9.8 (Critical) [3][4].

Mitigation

As of the advisory, no patch has been released [3]. Mitigations include disabling the HTTP API, placing it behind an authentication proxy, disabling Consul integration, and restricting configuration file permissions [3][4]. Users should review the default configuration to ensure the API is not exposed unnecessarily [2].