The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:3005 advisory.

    Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the     challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a     model-view-controller (MVC) framework for web application development. Action Pack implements the     controller and the view components.

    The following packages have been upgraded to a later upstream version: ansible-tower (3.1.5), cfme     (5.8.2.3), cfme-appliance (5.8.2.3), cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-     nokogiri (1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484)

    Security Fix(es):

    * A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository)     definition does not have the 'delete before update' flag set, an attacker with commit access to the     upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies     the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command     and code execution as the user Tower runs as. (CVE-2017-12148)

    * A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands,     an attacker can cause arbitrary shell commands to be executed on the server as the same user as     supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.
    (CVE-2017-11610)

    The CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat).

    Additional Changes:

    This update also fixes several bugs and adds various enhancements. Documentation for these changes is     available from the Release Notes document linked to in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201709-06 (Supervisor: command injection vulnerability)

    A vulnerability in Supervisor was discovered in which an authenticated       client could send malicious XML-RPC requests and supervidord will run       them as shell commands with process privileges. In some cases,       supervisord is configured with root permissions.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process.
  Workaround :

    There is no known workaround at this time.

mnaberez reports :

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.

Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as the same user as supervisord.

The vulnerability has been fixed by disabling nested namespace lookup entirely. supervisord will now only call methods on the object registered to handle XML-RPC requests and not any child objects it may contain, possibly breaking existing setups. No publicly available plugins are currently known that use nested namespaces. Plugins that use a single namespace will continue to work as before. Details can be found on the upstream issue at https://github.com/Supervisor/supervisor/issues/964 .

Security fix for CVE-2017-11610

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found in supervisor, a system for controlling process state, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord.

For Debian 7 'Wheezy', these problems have been fixed in version 3.0a8-1.1+deb7u2.

We recommend that you upgrade your supervisor packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
194022	RHEL 7 : Red Hat CloudForms (RHSA-2017:3005)	Nessus	Red Hat Local Security Checks	high
103274	GLSA-201709-06 : Supervisor: command injection vulnerability	Nessus	Gentoo Local Security Checks	high
102508	FreeBSD : Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests (c9460380-81e3-11e7-93af-005056925db4)	Nessus	FreeBSD Local Security Checks	high
102449	Debian DSA-3942-1 : supervisor - security update	Nessus	Debian Local Security Checks	high
102393	Fedora 24 : supervisor (2017-713430fb15)	Nessus	Fedora Local Security Checks	high
102275	Fedora 25 : supervisor (2017-85eb9f7a36)	Nessus	Fedora Local Security Checks	high
102246	Fedora 26 : supervisor (2017-307eab89e1)	Nessus	Fedora Local Security Checks	high
102085	Debian DLA-1047-1 : supervisor security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-11610

high

Tenable Plugins

high

high

high

high

high

high

high

high