A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that could possibly be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS rating: 7.8), entails manipulating the schema file supplied as enter to the device to avoid protections and obtain code execution. Significantly, the difficulty resides within the schema parsing perform, which permits any enter handed to be evaluated and executed, leading to a situation the place a specially-crafted string throughout the schema will be abused for the injection of system instructions.
Yamale is a Python bundle that enables builders to validate YAML — an information serialization language usually used for writing configuration recordsdata — from the command line. The bundle is utilized by not less than 224 repositories on GitHub.
“This hole permits attackers that may present an enter schema file to carry out Python code injection that results in code execution with the privileges of the Yamale course of,” JFrog Safety CTO Asaf Karas stated in an emailed assertion to The Hacker Information. “We advocate sanitizing any enter going to eval() extensively and — ideally — changing eval() calls with extra particular APIs required in your process.”
Following accountable disclosure, the difficulty has been rectified in Yamale model 3.0.8. “This launch fixes a bug the place a well-formed schema file can execute arbitrary code on the system working Yamale,” the maintainers of Yamale famous within the launch notes revealed on August 4.
The findings are the most recent in a collection of safety points uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages within the PyPi repository that have been discovered to obtain and execute third-party cryptominers comparable to T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised programs.
Subsequently, the JFrog safety crew found eight extra malicious Python libraries, which have been downloaded no fewer than 30,000 occasions, that might have been leveraged to execute distant code on the goal machine, collect system data, siphon bank card data and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software program bundle repositories have gotten a preferred goal for provide chain assaults and there have been malware assaults on well-liked repositories like npm, PyPI, and RubyGems,” the researchers stated. “Typically malware packages are allowed to be uploaded to the bundle repository, giving malicious actors the chance to make use of repositories to distribute viruses and launch profitable assaults on each developer and CI/CD machines within the pipeline.”