CVE-2023-49102: 
NixOS vulnerability analysis and mitigation

NZBGet 21.1 allows authenticated remote code execution through unarchive programs (7za and unrar) that preserve executable file permissions. The vulnerability (CVE-2023-49102) was discovered in November 2023 and affects the unmaintained NZBGet software. An attacker with Control capability can execute arbitrary code by setting the value of SevenZipCommand or UnrarCmd (NVD, MITRE).

The vulnerability exists because both supported unarchive programs (7za and unrar) preserve file permissions when extracting archives. This means that if an archive contains a shell script with execute permissions, those permissions are maintained after extraction. An attacker can exploit this by uploading a malicious executable file and then modifying the SevenZipCommand or UnrarCmd settings to point to the extracted executable. The vulnerability has a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (SEC_MARIDE).

Successful exploitation allows an authenticated attacker with Control user privileges to execute arbitrary code on the system running NZBGet. This could lead to complete system compromise within the context of the NZBGet application (NVD).

Since this vulnerability affects an unmaintained version of the software, the primary mitigation is to migrate to an alternative, maintained solution. For those who must continue using NZBGet, it is recommended to change credentials for the Control user and evaluate if the instance needs to be exposed to the internet (SEC_MARIDE).

The discovery of this vulnerability serves as a reminder of the risks associated with using unmaintained software. Over 1,500 publicly available instances were found to be potentially vulnerable at the time of disclosure (SEC_MARIDE).