9.8 CVE-2023-22279

RCE Injection SQL

MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command.


CWE-78 : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints. If at all possible, use library calls rather than external processes to recreate the desired functionality. For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88). If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184). Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this. Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV. Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV. Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. Language interpreter's mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible. Web server allows command execution using "|" (pipe) character. FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection. Shell metacharacters in a filename in a ZIP archive Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link. OS command injection through environment variable. OS command injection through https:// URLs Chain: incomplete denylist for OS command injection Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.




cpe start end
Configuration 1
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_firmware:*:*:*:*:lite:*:*:* < 1.11.00
  Running on/with
Configuration 2
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_vsg_firmware:*:*:*:*:lite:*:*:* < 1.11.00
  Running on/with
Configuration 3
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_mobilegate_firmware:*:*:*:*:home:*:*:* < 1.11.00
  Running on/with
Configuration 4
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_firmware:*:*:*:*:uni:*:*:* < 1.11.00
  Running on/with
Configuration 5
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_firmware:*:*:*:*:pro:*:*:* < 1.11.00
  Running on/with
Configuration 6
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_firmware:*:*:*:*:cloud:*:*:* < 1.11.00
  Running on/with
Configuration 7
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_vsg_firmware:*:*:*:*:uni:*:*:* < 1.11.00
  Running on/with
Configuration 8
   cpe:2.3:o:ate-mahoroba:maho-pbx_netdevancer_mobilegate_firmware:*:*:*:*:office:*:*:* < 1.11.00
  Running on/with




id description date
No known exploits

Other (github, ...)

No known exploits


Common Attack Pattern Enumerations and Classifications

id description severity
108 Command Line Execution through SQL Injection
Very High
15 Command Delimiters
43 Exploiting Multiple Input Interpretation Layers
6 Argument Injection
88 OS Command Injection