A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that might be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS rating: 7.8), includes manipulating the schema file supplied as enter to the device to bypass protections and obtain code execution. Notably, the issue resides within the schema parsing operate, which permits any enter handed to be evaluated and executed, leading to a situation the place a specially-crafted string inside the schema will be abused for the injection of system instructions.
Yamale is a Python bundle that permits builders to validate YAML — a knowledge serialization language usually used for writing configuration information — from the command line. The bundle is utilized by at the least 224 repositories on GitHub.
“This hole permits attackers that may present an enter schema file to carry out Python code injection that results in code execution with the privileges of the Yamale course of,” JFrog Safety CTO Asaf Karas mentioned in an emailed assertion to The Hacker Information. “We advocate sanitizing any enter going to eval() extensively and — ideally — changing eval() calls with extra particular APIs required in your process.”
Following accountable disclosure, the difficulty has been rectified in Yamale version 3.0.8. “This launch fixes a bug the place a well-formed schema file can execute arbitrary code on the system operating Yamale,” the maintainers of Yamale famous within the launch notes revealed on August 4.
The findings are the most recent in a sequence of safety points uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages within the PyPi repository that have been discovered to obtain and execute third-party cryptominers comparable to T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised programs.
Subsequently, the JFrog safety group discovered eight extra malicious Python libraries, which have been downloaded no fewer than 30,000 occasions, that would have been leveraged to execute distant code on the goal machine, collect system data, siphon bank card data and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software program bundle repositories have gotten a well-liked goal for provide chain assaults and there have been malware assaults on fashionable repositories like npm, PyPI, and RubyGems,” the researchers mentioned. “Generally malware packages are allowed to be uploaded to the bundle repository, giving malicious actors the chance to make use of repositories to distribute viruses and launch profitable assaults on each developer and CI/CD machines within the pipeline.”