Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability affects Cockpit's remote login feature, allowing unauthenticated attackers to execute code on the host system by sending a crafted HTTP request. The issue arises from improperly validated user input passed to the SSH client, bypassing credential checks before they occur. The main concern is confirming relevance and exposure given the severity of potential code execution.
- Unauthenticated attackers can run code remotely.
- Affects systems with network-accessible management interfaces.
- Confirm relevance and potential exposure of systems.
Attack Path
How an attacker could exploit the issue
An attacker with network access to the Cockpit web service can target its remote login feature. By sending a specially crafted HTTP request to the login endpoint, the attacker can bypass authentication and inject malicious commands or options. This allows for code execution on the affected host without needing any valid credentials.
- Network access to web service required.
- Inject malicious input into login request.
- Unauthenticated code execution on host.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker with network access to the Cockpit web service to execute arbitrary commands on the host system. The exploit targets the remote login feature by sending a specially crafted HTTP request that injects malicious commands or SSH options, bypassing the need for valid credentials. This could impact the confidentiality, integrity, and availability of the Cockpit host.
- Host system commands and data.
- Unauthenticated network request injection.
- System compromise and data exposure.
Operational Fix
Recommended remediation, mitigation, and detection steps
Teams responsible for managing Linux systems and their associated web-based administrative interfaces, such as Infrastructure or Platform Engineering teams, should prioritize this issue. The immediate first step is to identify all systems running Cockpit, determine their network exposure, and confirm which are business-critical. Once identified, work with the asset owners to plan remediation based on the assessed risk.
- Identify affected Cockpit hosts.
- Verify network exposure and business criticality.
- Plan risk-based remediation with owners.