Remote code execution vulnerability in DebOps API
by Robin Schneider
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dears DebOps folks
A remote code execution vulnerability has been found in the DebOps API [1], the
Python script which pre-computes the content served by https://api.debops.org/.
- - The default ``yaml.load`` method from PyYAML which is used to read
Ansigenome YAML files is unsafe.
As a result remote code execution was possible when the DebOps API script
parsed role metadata.
Refer to the issue `Make load safe_load
<https://github.com/yaml/pyyaml/issues/5>`_.
This has been fixed by switching to ``yaml.safe_load``. [ypid_]
Risk: Arbitrary code could have been executed on a server running the DebOps
API by getting a malicious `meta/ansigenome.yml` file into one of the DebOps
core roles (with DebOps being the only known deployment of the DebOps API). The
DebOps API automatically updates once per hour to the latest master of all
DebOps core roles, as part of the update, present `meta/ansigenome.yml` files
are parsed and the API data is pre-computed.
Potential code would run with the permissions of the debops-api user which is a
restricted system user [3] who’s write access is limited to DebOps API data.
Note that before changes enter DebOps core roles, they need to be reviewed by at
least one DebOps Developer [2] and we are not aware of any attempts (successful
or unsuccessful) to exploit this vulnerability to gain access to project
infrastructure.
The only known DebOps API instance [4] has been patched before publicly
disclosing this vulnerability.
This issue was reported on 2017-02-21 by Robin Schneider (DebOps Developer and
author of the DebOps API).
The fix is being pushed to the main repository shortly before this email is
being send.
This announcement is being made following the [DebOps Security Policy].
git commit which fixes it:
commit 570c61b77cf4f99091333fc687c63a822d70a7af (HEAD, master)
gpg: Signature made Di 21 Feb 2017 21:45:25 CET
gpg: using RSA key 0x489A4D5EC353C98A
gpg: Good signature from "Robin Schneider (Automatic Signing Key)
<ypid(a)riseup.net>" [ultimate]
gpg: aka "Robin Schneider (Automatic Signing Key)
<ypid23(a)aol.de>" [ultimate]
Primary key fingerprint: EF96 BC32 AC57 CFC7 2DF0 1D8C 489A 4D5E C353 C98A
Author: Robin Schneider <ypid(a)riseup.net>
Date: Tue Feb 21 21:43:52 2017
Fix remote code execution vulnerability by switching to yaml.safe_load
[1]: https://github.com/debops/debops-api
[2]:
https://docs.debops.org/en/latest/debops-keyring/docs/entities.html#debop...
ng-role-developers
[3]:
https://github.com/debops/ansible-debops_api/blob/5dcda6874ee252a2d314b8a...
0d91b6ba62/defaults/main.yml#L63
[4]: https://api.debops.org/
[DebOps Security Policy]:
https://docs.debops.org/en/latest/debops-policy/docs/security-policy.html
- --
Live long and prosper
Robin `ypid` Schneider -- https://me.ypid.de/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYrMxuAAoJEIb9mAu/GkD4rDgP/iZZsCcAIkuujNqzKdEcu6s/
aZBfiIZUXkqoFD92MS/T3j6GUZ2hKNcCW3SZMbVb7bww71vdB12oGySVabmLXz2y
KHfbJNiMg2pvmVdf3B/R3CMNUodeR17TnmqhL5tOoxuuBg0PdzedcOSuo05H0HKp
jBZmqnNb8BLJta4Qe/fFuABRiOkt2XNdrXBJOMhc8KYGrAxSdyk/gGqgEkQKp3gh
b8xE4RfJDUZ1fA+K5wWfqPNZBYQrUsnJGpiRqI9hS36ELtFn0Pcg315FiUBcQNF/
IbfhUY1JknfsKuvB99SwI2Unl5C5t+9sOzvTXaj7LPP52mWoyC9Oi53KDqBUeiAj
/cQQz8tQtt0VHiwUTWlCQc5oWaghDRKC+LaWZfSnUvvfew6ukZ9QwEhIo29N1sBc
PUs2MNJVjbz39QhgGvMUuERDh6J3M0LJrJwYwisKhQ/ns+SHzsGBjupImfhxjQ41
4K6iX6CHFBbbOeXLHxLJS+cWMHAwtnwBT7veuRPpwO0aSMqn4TFeeFvFIxK1qVVe
WRsuaKDds8Euk4rRtz2BKWB0BX4gy0VZ6HiMjsfRnn5ymtjWDXdbNu0yweynFII0
4C4Ne+Y7MS4l1J5xvdyXpXZ9IkTf7x+pgzZotDANoEluGNsnevaYP0bHZJkSZJ84
oyZrTmN+/LLnUzMQlzPc
=SXb9
-----END PGP SIGNATURE-----
7 years, 2 months
- 1
- 0
- ← Newer
- 1
- Older →