The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:3005 advisory.

  - supervisor: Command injection via malicious XML-RPC request (CVE-2017-11610)

  - Ansible Tower:modification of git hooks in SCM repo via upstream playbook execution (CVE-2017-12148)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201709-06 (Supervisor: command injection vulnerability)

    A vulnerability in Supervisor was discovered in which an authenticated       client could send malicious XML-RPC requests and supervidord will run       them as shell commands with process privileges. In some cases,       supervisord is configured with root permissions.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process.
  Workaround :

    There is no known workaround at this time.

mnaberez reports :

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.

Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as the same user as supervisord.

The vulnerability has been fixed by disabling nested namespace lookup entirely. supervisord will now only call methods on the object registered to handle XML-RPC requests and not any child objects it may contain, possibly breaking existing setups. No publicly available plugins are currently known that use nested namespaces. Plugins that use a single namespace will continue to work as before. Details can be found on the upstream issue at https://github.com/Supervisor/supervisor/issues/964 .

Security fix for CVE-2017-11610

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found in supervisor, a system for controlling process state, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord.

For Debian 7 'Wheezy', these problems have been fixed in version 3.0a8-1.1+deb7u2.

We recommend that you upgrade your supervisor packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
194022	RHEL 7 : Red Hat CloudForms (RHSA-2017:3005)	Nessus	Red Hat Local Security Checks	high
103274	GLSA-201709-06 : Supervisor: command injection vulnerability	Nessus	Gentoo Local Security Checks	high
102508	FreeBSD : Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests (c9460380-81e3-11e7-93af-005056925db4)	Nessus	FreeBSD Local Security Checks	high
102449	Debian DSA-3942-1 : supervisor - security update	Nessus	Debian Local Security Checks	high
102393	Fedora 24 : supervisor (2017-713430fb15)	Nessus	Fedora Local Security Checks	high
102275	Fedora 25 : supervisor (2017-85eb9f7a36)	Nessus	Fedora Local Security Checks	high
102246	Fedora 26 : supervisor (2017-307eab89e1)	Nessus	Fedora Local Security Checks	high
102085	Debian DLA-1047-1 : supervisor security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-11610

high

Tenable Plugins

high

high

high

high

high

high

high

high