GHSA-v529-vhwc-wfc5: Authenticated SQL Injection in OpenC3 COSMOS QuestDB Integration

OpenC3 COSMOS provides command and control (C2) functionality for embedded systems. The platform utilizes QuestDB, a high-performance time-series database, to store and query system telemetry data. Access to this data is exposed via a JSON-RPC application programming interface (API), which handles requests from various frontend clients and internal services.

The vulnerability exists within the application's API endpoints that process telemetry retrieval requests. Specifically, the vulnerability affects the get_tlm_values RPC method. This method accepts time-based parameters to filter the telemetry records returned to the client. The application fails to properly neutralize these parameters before integrating them into SQL queries.

This flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Because the vulnerability resides in the core telemetry retrieval logic, any authenticated user with base telemetry permissions (tlm) can trigger the injection. This includes low-privileged roles such as Viewer or Runner, greatly expanding the population of potential attackers.

The root cause of the vulnerability is the unsafe construction of SQL queries using string interpolation. The vulnerability resides in the tsdb_lookup function, which is implemented in both the Ruby component (openc3/lib/openc3/models/cvt_model.rb) and the Python component (openc3/python/openc3/models/cvt_model.py).

When a client issues a request to the get_tlm_values endpoint, the API extracts the start_time and end_time parameters from the JSON payload. The application passes these parameters directly to the tsdb_lookup function. The function then dynamically builds a SQL query string by concatenating the unvalidated parameters directly into the WHERE clause.

The implementation assumed that time-based input parameters would conform to expected date-time formats. The application implemented no input validation or sanitization routines to enforce this assumption. Furthermore, the application failed to utilize parameterized queries or prepared statements, which are the industry standard defense against SQL injection.

The vulnerability mechanics are evident in the source code of both language implementations. The vulnerable code constructs queries by directly interpolating the start_time and end_time variables into the SQL string.

In the vulnerable Ruby implementation (cvt_model.rb), the code dynamically constructs the query based on the presence of the time parameters:

if start_time && !end_time
  query += "WHERE T0.PACKET_TIMESECONDS < '#{start_time}' LIMIT -1"
elsif start_time && end_time
  query += "WHERE T0.PACKET_TIMESECONDS >= '#{start_time}' AND T0.PACKET_TIMESECONDS < '#{end_time}'"
end
# ...
result = @@conn.exec(query)

The Python implementation (cvt_model.py) contains identical logic, utilizing f-strings for interpolation:

if start_time and not end_time:
    query += f"WHERE T0.PACKET_TIMESECONDS < '{start_time}' LIMIT -1"
elif start_time and end_time:
    query += f"WHERE T0.PACKET_TIMESECONDS >= '{start_time}' AND T0.PACKET_TIMESECONDS < '{end_time}'"
# ...
cursor.execute(query)

The patch, applied in commit 9ba60c09c8836a37a2e4ea67ab35fe403e041415, resolves the primary SQL injection vector by migrating to native database driver parameter binding. The Ruby implementation now utilizes exec_params(query, query_params) with $1, $2 positional placeholders. The Python implementation adopts cursor.execute(query, query_params) using %s placeholders.

The patch also attempts to address secondary injection vectors by adding identifier quoting in questdb_client.py for Data Definition Language (DDL) statements (e.g., ALTER TABLE ... ADD COLUMN "{col_name}"). However, the identifier quoting mechanism does not escape internal double quotes. If the application permits users to define custom telemetry items with names containing double quotes, a secondary injection vector may still exist during schema modification operations.

Exploitation requires the attacker to possess valid credentials for any role that grants tlm (telemetry) permissions. The attacker must also possess network routing to the OpenC3 COSMOS API. The vulnerability requires no user interaction and is highly reliable.

The attacker initiates the exploit by sending a crafted HTTP POST request to the JSON-RPC interface. The request targets the get_tlm_values method. The attacker injects the payload into the start_time parameter within the JSON body.

To perform data exfiltration, the attacker breaks out of the expected single-quoted string and alters the query logic to evaluate as true. A standard tautology payload accomplishes this:

{
  "jsonrpc": "2.0",
  "method": "get_tlm_values",
  "params": {
    "start_time": "' OR 1=1 --"
  },
  "id": 1
}

The application interpolates this payload, resulting in the query: SELECT ... WHERE T0.PACKET_TIMESECONDS >= '' OR 1=1 --' AND .... This bypasses the time constraint, causing the database to return all records accessible to the executed query.

The attacker can also execute stacked queries or DDL commands to destroy data. By terminating the primary SELECT statement, the attacker can execute arbitrary subsequent commands. The following payload demonstrates a destructive attack against the telemetry tables:

'; DROP TABLE 'some_telemetry_table'; --

The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical). The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) highlights the low access complexity, network attack vector, and high impact on confidentiality and integrity. The scope metric evaluates to Changed (S:C) because the vulnerability exists within the OpenC3 application but impacts a separate infrastructure component, the QuestDB database.

The confidentiality impact is severe. An attacker can leverage the SQL injection to extract arbitrary records from the QuestDB database. This includes sensitive telemetry data from managed embedded systems, which often constitutes proprietary or classified operational intelligence.

The integrity impact is equally critical. The vulnerability allows an attacker to execute arbitrary DDL operations, such as dropping tables or altering schemas. This capability permits an attacker to permanently destroy historical telemetry data or manipulate records to obscure operational anomalies. The availability impact is rated as None in the primary vector, though data destruction intrinsically degrades system availability from an operational perspective.

The definitive remediation strategy is upgrading the OpenC3 COSMOS platform to version 7.0.0-rc3 or later. This release incorporates the necessary code modifications to implement parameterized database queries, neutralizing the primary injection vectors.

Organizations unable to immediately apply the patch must implement defense-in-depth mitigations. Administrators should restrict access to the get_tlm_values RPC endpoint to essential personnel. Administrators must audit user roles to ensure the principle of least privilege is strictly enforced across all accounts with telemetry permissions.

Security teams should deploy network-based detections to identify exploitation attempts. Web Application Firewalls (WAF) must inspect incoming JSON bodies for common SQL injection syntax (e.g., single quotes, double dashes, semicolons, and SQL keywords like DROP or UNION) within time-based parameters. Furthermore, security information and event management (SIEM) systems should monitor database logs for anomalous DDL operations originating from the OpenC3 application context.