Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2013-3632

Disclosure Date: September 29, 2014
CVE-2013-3632
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated
Persistence
Techniques
Validation
Validated
Validated
Privilege Escalation
Techniques
Validation
Validated
Validated

Description

The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

This is a golden oldie, that never has been fixed. The existing module in Metasploit , exploit/multi/http/openmediavault_cmd_exec works only on versions in the range 0.4.x
Unfortunately the vulnerability still exists within all OpenMediaVault versions starting from from 0.5 until the recent release 7.4.2-2 and it allows an authenticated user to create and run cron jobs as root on the system.
I have created a new Metasploit module that can handle all targets from versions 0.1 and above. Shodan shows more then 10000 vulnerable instances and hundreds of them still have the default admin:openmediavault credentials configured which allows an attacker to leverage this exploit.

This module has been successfully tested on:

OpenMediaVault x64 appliances:

  • openmediavault_0.2_amd64.iso
  • openmediavault_0.2.5_amd64.iso
  • openmediavault_0.3_amd64.iso
  • openmediavault_0.4_amd64.iso
  • openmediavault_0.4.32_amd64.iso
  • openmediavault_0.5.0.24_amd64.iso
  • openmediavault_0.5.48_amd64.iso
  • openmediavault_1.9_amd64.iso
  • openmediavault_2.0.13_amd64.iso
  • openmediavault_2.1_amd64.iso
  • openmediavault_3.0.2-amd64.iso
  • openmediavault_3.0.26-amd64.iso
  • openmediavault_3.0.74-amd64.iso
  • openmediavault_4.0.9-amd64.iso
  • openmediavault_4.1.3-amd64.iso
  • openmediavault_5.0.5-amd64.iso
  • openmediavault_5.5.11-amd64.iso
  • openmediavault_5.6.13-amd64.iso
  • openmediavault_6.0-16-amd64.iso
  • openmediavault_6.0-34-amd64.iso
  • openmediavault_6.0-amd64.iso
  • openmediavault_6.0.24-amd64.iso
  • openmediavault_6.5.0-amd64.iso
  • openmediavault_7.0-20-amd64.iso
  • openmediavault_7.0-32-amd64.iso

ARM64 on Raspberry PI running Kali Linux 2024-3:

  • openmediavault 7.3.0-5
  • openmediavault 7.4.2-2

VirtualBox Images (x64):

  • openmediavault 0.4.24
  • openmediavault 0.5.30
  • openmediavault 1.0.21

You can download the iso images from here.

Mitigation

There is no fix available to address this vulnerability. This weakness has been there since 2013 and never fixed. Future releases will probably not fix it. Contacted the lead developer, but did not get any response. The only precaution that you can take is to ensure that you change the default admin credentials. It is not forced, so you need to take the action yourself.

References

CVE-2013-3632
Packetstorm Public Exploit
Metasploit Module – OpenMediaVault authenticated RCE
OpenMediaVault ISO Downloads

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/http/openmediavault_cmd_exec
Reporter
Unknown

Vendors

  • openmediavault

Products

  • openmediavault -
Technical Analysis