A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb lookup function in the cvt model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data.

Figure 1: Source code vulnerable to SQL injection Additionally, the get tlm values RPC endpoint only requires “tlm” permissions, allowing any user with the Admin, Operator, Viewer, or Runner roles to send a request to the TSDB. This permission is defined in roles-permissions.md to allow for the user to view telemetry data, but this vulnerability also allows them to delete data and tables.

Figure 2: Source code showing the required permissions for the get tlm values endpoint Sending a normal request to the endpoint brings back a single array of values for the parameter:

Figure 3: A normal request to the get tlm values endpoint However, sending a specially crafted request within the start time variable brings back all the data in the database:

Figure 4: The request and response after sending the SQL injection payload This payload can be modified to executes SQL commands in the TSDB.

Figure 5: SQL injection used to execute arbitrary SQL command The user can then delete all the historical data in the database:

Figure 6: Example payload dropping the tables

‘ OR 1=1 --

• Sanitize all user-supplied input before executing it • Use prepared statements with parameterized queries when executing SQL statements