U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Severe Swagger Remote Code Execution flaw compromises NodeJS, Ruby, PHP, Java

This disclosure of an unpatched Remote Code Exec flaw in the Swagger API framework compromises NodeJS, Ruby, PHP, and Java. Swagger is a representation of RESTful API that allows developers to get interactive documentation, client SDK generation and discoverability. The Swagger generators are privileged tools for organisations to offer developers easy access to their APIs. Currently, the […]

Severe Swagger Remote Code Execution flaw compromises NodeJS, Ruby, PHP, Java

This disclosure of an unpatched Remote Code Exec flaw in the Swagger API framework compromises NodeJS, Ruby, PHP, and Java.

Swagger is a representation of RESTful API that allows developers to get interactive documentation, client SDK generation and discoverability.

The Swagger generators are privileged tools for organisations to offer developers easy access to their APIs.

Currently, the Swagger APIs helps companies like Apigee, Getty Images, Intuit, LivingSocial, McKesson, Microsoft, Morningstar, and PayPal in building services with RESTful APIs.

Now an unpatched remote code execution vulnerability (CVE-2016-5641) in the Swagger API framework, affecting both client and server components, has been publicly disclosed.

The security vulnerability exists in code generators within the OpenAPI Specification, the REST programming tool.

“The Open API Initiative (OAI) was created by a consortium of forward-looking industry experts who recognize the immense value of standardizing on how REST APIs are described.” states the official description.

The remote code execution vulnerability is easy to exploit due to the availability of a Metasploit module released by the security researcher Scott Davis. Davis explained that injectable parameters in Swagger JSON or YAML files allow attackers to remotely execute code across NodeJS, PHP, Ruby, and Java. Davis highlighted that other code generation tools may be vulnerable to parameter injection attacks.

“This disclosure will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well.” Davis wrote in a blog post published on the Rapid7 community. “Other code generation tools may also be vulnerable to parameter injection and could be affected by this approach. By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service.  This is considered an abuse of trust in definition of service, and could be an interesting space for further research.” 

Davis explained that attackers can exploit specially crafted Swagger documents to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. The attack relies on the lack of proper sanitization of the parameters within a Swagger document.

“This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base.

  • On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.
  • On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs.”

Swagger API Framework

The bad news is that the flaw is still unpatched despite is was publicly disclosed, last month the US-CERT issued a specific alert and experts from Rapid 7 already devised a fix.

Rapid7 first attempted to contact the maintainers of the Swagger project in April, exactly one week ago, on June 16, it provided to the US-CERT a patch. The Metasploit module was released on the date of public disclosure, June 23.

Waiting for the release of the patch by the maintainers, users need to carefully inspect Swagger documents for language-specific escape sequences.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – remote code execution flaw, hacking)