Deserialization of untrusted data in MCollective

#VU8099 Deserialization of untrusted data in MCollective

Published: 2017-09-05

Vulnerability identifier: #VU8099

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2292

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MCollective
Server applications / Frameworks for developing and running applications

Vendor: Puppet Labs

Description
The vulnerability allows a remote authenticated attacker to execute arbitrary code.

The weakness exists due to deserialization of YAML from agents without calling safe_load. A remote attacker can send a specially crafted request and execute arbitrary code on the server.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.11.0.

Vulnerable software versions

MCollective: 2.8.7 - 10.0

External links
http://puppet.com/security/cve/cve-2017-2292

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for MCollective

Remote code execution in Puppet MCollective