Suricata-Update uses the insecure yaml.load()
function. Code will be executed if the yaml-file contains lines like:
hello: !!python/object/apply:os.system ['ls -l > /tmp/output']
The vulnerable function can be triggered by “suricata-update list-sources”. The locally stored index.yaml will be loaded in this function and the malicious code gets executed.
CPE | Name | Operator | Version |
---|---|---|---|
suricata-update | eq | 1.0.0a1 |
github.com/OISF/suricata-update
github.com/OISF/suricata-update/commit/76270e73128ca1299b4e33e7e2a74ac3d963a97a
github.com/OISF/suricata-update/pull/23
nvd.nist.gov/vuln/detail/CVE-2018-1000167
redmine.openinfosecfoundation.org/issues/2359
tech.feedyourhead.at/content/remote-code-execution-in-suricata-update