FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests

Affected packages
py27-supervisor < 3.3.3,1

Details

VuXML ID c9460380-81e3-11e7-93af-005056925db4
Discovery 2017-07-24
Entry 2017-08-15

mnaberez reports:

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.

References

CVE Name CVE-2017-11610
URL http://supervisord.org/changes.html
URL https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606