Red Hat Bugzilla – Bug 1152544
CVE-2014-3699 eDeploy: Remote code execution due to cPickle deserialization of untrusted data
Last modified: 2015-03-19 00:17:09 EDT
It was found that under certain conditions, eDeploy would bind cPickle to a TCP port. A remote, unauthenticated attacker able to connect to this port could provide malicious serialized data, leading to remote code execution.
Acknowledgements: This issue was discovered by Kurt Seifried of Red Hat Product Security.
So in src/netdetect.py and src/health_protocol.py we send and receive pickled data, no authentication, so anyone with network access == code execution Code, snipped, basically: src/netdetect.py def start_sync_bench_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_discovery_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Until we got a synthesis list from another server ''' while not synthesis: answer = {} ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_client(mode, max_clients=0): ''' While we are in discovery mode, let's send keepalives ''' while discovery: sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Go !\n") sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO)) def scrub_timestamp(): '''Scrubing deletes server that didn't sent keepalive on time.''' sock.sendto(cPickle.dumps(server_list), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("No remote system detected, exiting\n") sock.sendto(cPickle.dumps(message), (MCAST_GRP, MCAST_PORT)) ''' It's time to send the synthesis to the other nodes ''' leader = True sock.sendto(cPickle.dumps(server_list), (MCAST_GRP, MCAST_PORT)) def wait_for_go(): global ready_to_bench ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) =============================================================================== src/health_protocol.py def start_sync_bench_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_discovery_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Until we got a synthesis list from another server ''' while not synthesis: answer = {} ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_client(mode, max_clients=0): '''Client is made for generating keepalives.''' ''' Let's prepare the socket ''' ''' While we are in discovery mode, let's send keepalives ''' while discovery: sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) while ready_to_bench: sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Go !\n") sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO)) def scrub_timestamp(): '''Scrubing deletes server that didn't sent keepalive on time.''' sock.sendto(cPickle.dumps(server_list), sys.stderr.write("No remote system detected, exiting\n") sock.sendto(cPickle.dumps(message), ''' It's time to send the synthesis to the other nodes ''' leader = True sock.sendto(cPickle.dumps(server_list), def wait_for_go(): global ready_to_bench ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240))
This is now public https://github.com/enovance/edeploy/issues/229
Statement: Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.