Other commands are executable on the operator-cli

[itechpartners]

Hello Team,
I identified something which I believe is an opportunity for security improvement.

The operator-cli environment allows other commands to be executed successfully within the shell environment. This should be restricted to allow only required and applicable commands that are specific to Shardeum

I will suggest that any command except the ones listed by Sharduem shouldnot be allowed to execute within the operator cli-environment

CLI part of the operator dashboard
Commands:
status
stake_info

start
stop [options]
stake
unstake [options]
update
version
network-stats
node-settings
set
gui
help [command]

[soniasingla]

@itechpartners 👋 Thank you for bringing this issue to our attention. I am currently investigating the problem and will provide updates as soon as I have more information 🤗

[mssabr01]

@itechpartners Can you provide a proof of concept of how this can be exploited? The CLI is designed to be run locally and not be accessible from the internet. In this use case, an attacker can just enter commands into bash without interacting with the operator CLI at all

[itechpartners]

Hello Mehdi and Team, The objective is to prevent any package or process from running on the Shardeum shell. I could create files and directories on the /app$ shell, but when I tried executing packages, there were running on the system kernel. I will say the risk is minimal, but allowing only applicable commands to execute on the Sharduem shell in future versions will be a good practice. Kind regards,Charles AsiafaEmail: ***@***.*** On Tuesday, June 18, 2024 at 08:14:11 PM GMT+1, Mehdi Sabraoui ***@***.***> wrote: @itechpartners Can you provide a proof of concept of how this can be exploited? The CLI is designed to be run locally and not be accessible from the internet. In this use case, an attacker can just enter commands into bash without interacting with the operator CLI at all — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>