A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that may very well be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS rating: 7.8), includes manipulating the schema file offered as enter to the software to bypass protections and obtain code execution. Notably, the subject resides within the schema parsing perform, which permits any enter handed to be evaluated and executed, leading to a state of affairs the place a specially-crafted string throughout the schema will be abused for the injection of system instructions.
Yamale is a Python bundle that enables builders to validate YAML — an information serialization language typically used for writing configuration recordsdata — from the command line. The bundle is utilized by at the very least 224 repositories on GitHub.
“This hole permits attackers that may present an enter schema file to carry out Python code injection that results in code execution with the privileges of the Yamale course of,” JFrog Safety CTO Asaf Karas mentioned in an emailed assertion to The Hacker Information. “We suggest sanitizing any enter going to eval() extensively and — ideally — changing eval() calls with extra particular APIs required in your job.”
Following accountable disclosure, the problem has been rectified in Yamale model 3.0.8. “This launch fixes a bug the place a well-formed schema file can execute arbitrary code on the system operating Yamale,” the maintainers of Yamale famous within the launch notes printed on August 4.
The findings are the most recent in a sequence of safety points uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages within the PyPi repository that had been discovered to obtain and execute third-party cryptominers corresponding to T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised methods.
Subsequently, the JFrog safety crew found eight extra malicious Python libraries, which had been downloaded no fewer than 30,000 instances, that might have been leveraged to execute distant code on the goal machine, collect system data, siphon bank card data and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software program bundle repositories have gotten a preferred goal for provide chain assaults and there have been malware assaults on widespread repositories like npm, PyPI, and RubyGems,” the researchers mentioned. “Generally malware packages are allowed to be uploaded to the bundle repository, giving malicious actors the chance to make use of repositories to distribute viruses and launch profitable assaults on each developer and CI/CD machines within the pipeline.”