<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Virsec Security Research Lab

CVE-2020-7778 Systeminformation NPM package (Command Injection)

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

CVE-2020-7778

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 7.3 High. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

1.3        Affected Version

SystemInformation NPM (System and OS information library for node.js) before 4.30.2

1.4        Vulnerability Attribution

This vulnerability is reported by Snyk.

1.5        Risk Impact

SystemInformation is node.js library (System and OS information library for node.js) which has overall download of 20 million. This vulnerability can be used to plan remote backdoor in the system, which can be used for lateral movement or exfiltration of sensitive server information. Exploit is publicly available here.

  •  

1.6        Virsec Security Platform (VSP) Support:

 

The Virsec Security Platform (VSP)- Web has capability that can detect all types of Command injection attack and prevent this attack from being exploited.

VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.


1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.