GitHub Advisory DatabaseGHSA-7C4H-W765-6PWGOISF suricata-update unsafely deserializes YAML data
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
73.4%
Suricata-Update uses the insecure yaml.load() function. Code will be executed if the yaml-file contains lines like:
hello: !!python/object/apply:os.system ['ls -l > /tmp/output']
The vulnerable function can be triggered by “suricata-update list-sources”. The locally stored index.yaml will be loaded in this function and the malicious code gets executed.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| suricata-update | le | 1.0.0a1 |
References
github.com/advisories/GHSA-7c4h-w765-6pwg
github.com/OISF/suricata-update/commit/76270e73128ca1299b4e33e7e2a74ac3d963a97a
github.com/OISF/suricata-update/pull/23
nvd.nist.gov/vuln/detail/CVE-2018-1000167
redmine.openinfosecfoundation.org/issues/2359
tech.feedyourhead.at/content/remote-code-execution-in-suricata-update
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
73.4%