OS Command Injection Through Port Scanning on Roxy-WI Web Interface

CVE-2024-43804

Summary

An OS Command Injection vulnerability in Roxy-WI, a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers, permits an authenticated user to execute arbitrary commands on the server. This vulnerability arises from insufficient validation of user inputs during the construction and execution of OS commands, particularly in the port scanning feature. When the application processes JSON POST data, if the 'id' key is absent, the value from the 'ip' key is assigned to the 'ip' variable. Since this variable can be manipulated by the attacker without proper sanitization, it is directly used in command construction. The subsequent invocation of the server_mod.subprocess_execute function allows the execution of potentially harmful OS commands through subprocess.Popen() with shell=True, posing significant security risks. Users should reach out to Roxy-WI for patch coordination and to mitigate exposure to this vulnerability.

References