Two vulnerabilities in the Rocket Chat (RC) application make it possible for attackers to achieve remote code execution on the server hosting them. RC is a popular open-source messaging platform for enterprise customers. Customers include Lloyd’s, Lockheed Martin and the University of California.
RC utilises the MongoDB database, which uses NoSQL to store its data. Researchers from SonarSource analysed the source code and found two NoSQL injections in the web interface that enabled attackers to execute arbitrary commands on the back-end database.
The password reset API was accessible to unauthenticated users, which could be abused to leak sensitive account information such as email, password hash and two-factor authentication secrets. An attacker could easily use this vulnerability to hijack an administrator account, where they can create a webhook to send system commands to the hosting server.
Affected version: 3.12.1
The impact
Threat actors who successfully exploit these vulnerabilities can perform several malicious actions including hijacking user accounts, escalating privileges on the host and executing system commands, all of which can result in a complete compromise of the host server in the context of an administrator account.
The remediation
To mitigate against these vulnerabilities, it is highly recommended that RC users upgrade to version 3.14.1.
Relevant resources:
- Security updates/fixes by Rocket.Chat version
- Latest Rocket.Chat release information
- Technical blog on NoSQL vulnerabilities