CVE-2018-1000167: OISF suricata-update unsafely deserializes YAML data
(updated )
Suricata-Update uses the insecure yaml.load() function. Code will be executed if the yaml-file contains lines like:
hello: !!python/object/apply:os.system ['ls -l > /tmp/output']
The vulnerable function can be triggered by “suricata-update list-sources”. The locally stored index.yaml will be loaded in this function and the malicious code gets executed.
References
- github.com/OISF/suricata-update
- github.com/OISF/suricata-update/commit/76270e73128ca1299b4e33e7e2a74ac3d963a97a
- github.com/OISF/suricata-update/pull/23
- github.com/advisories/GHSA-7c4h-w765-6pwg
- github.com/pypa/advisory-database/tree/main/vulns/suricata-update/PYSEC-2018-75.yaml
- nvd.nist.gov/vuln/detail/CVE-2018-1000167
- redmine.openinfosecfoundation.org/issues/2359
- tech.feedyourhead.at/content/remote-code-execution-in-suricata-update
Detect and mitigate CVE-2018-1000167 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →