A high severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, which could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, identified as CVE-2021-38305 (CVSS score: 7.8), involves manipulation of the schema file provided as input to the tool to bypass protections and perform code execution. In particular, the problem lies in the schema analysis function, which allows any passed input to be evaluated and executed, resulting in a scenario where a specially crafted string in the schema can be abused for the purpose. injection of system commands.
Yamale is a Python package that allows developers to validate YAML – a data serialization language often used to write configuration files – from the command line. The package is used by at least 224 repositories on GitHub.
“This loophole allows attackers who may provide an input schema file to perform an injection of Python code that leads to code execution with the privileges of the Yamale process,” said JFrog chief security officer. , Asaf Karas, in an emailed statement to The Hacker News. “We recommend that you disinfect any entry going to eval () and – preferably – replace eval () calls with more specific APIs required for your task.”
As a result of responsible disclosure, the problem has been corrected in Yamale version 3.0.8. “This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale,” Yamale maintainers noted in the release notes released Aug. 4.
The results are the latest in a series of security issues JFrog discovered in Python packages. In June 2021, Vdoo disclosed typosquated packages in the PyPi repository that were found to download and run third-party cryptominers such as T-Rex, ubqminer or PhoenixMiner to mine Ethereum and Ubiq on compromised systems.
Subsequently, the JFrog security team discovered eight additional malicious Python libraries, which were downloaded no less than 30,000 times, which could have been used to remotely execute code on the target machine, collect system information. , siphon credit card information and auto-saved passwords in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software package repositories are becoming a popular target for supply chain attacks and there have been malware attacks on popular repositories like npm, PyPI and RubyGems,” the researchers said. “Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the ability to use repositories to distribute viruses and launch successful attacks on developers and CI / CD machines. in the pipeline. “