Skip to content

RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132 #2401

New issue
New issue
Closed
Closed
RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132#2401
Labels
ROS-IndustrialROS-Industrial package or resourcebanditcomponents softwareVulnerabilities in purely software robot components (e.g. a the ROS navigation stack)mitigatedrobot component: ROSROS-related vulnerabilities.severity: critical9.0 - 10.0static analysistestingvendor: Open Roboticsversion: jadeROS Jade Turtleversion: kineticROS Kinetic Kameversion: lunarROS Lunar Loggerheadversion: melodicROS Melodic Moreniaversion: noeticROS Noetic Ninjemys distrovulnerability
@rvd-bot

Description

@rvd-bot
rvd-bot
opened on Jun 3, 2020
id: 2401
title: 'RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132'
type: bug
description: Use of unsafe yaml load. Allows instantiation of arbitrary objects. The
  flaw itself is caused by an unsafe parsing of YAML values which happens whenever
  an action message is processed to be sent, and allows for the creation of Python
  objects. Through this flaw in the ROS core package of actionlib, an attacker with
  local or remote access can make the ROS Master, execute arbitrary code in Python
  form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132.
  See links for more info on the bug.
cwe: CWE-20
cve: CVE-2020-10289
keywords:
- bandit
- bug
- static analysis
- testing
- triage
- vulnerability
- 'version: melodic'
- 'robot component: ROS'
- components software
system: 'ros'
vendor: 'Open Robotics'
severity:
  rvss-score: 10
  rvss-vector: RVSS:1.0/AV:RN/AC:L/PR:L/UI:R/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: 'critical'
  cvss-score: 8.0
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
links:
- https://github.com/aliasrobotics/RVD/issues/2401
- https://bandit.readthedocs.io/en/latest/plugins/b506_yaml_load.html
- https://github.com/ros/actionlib/pull/170
- https://github.com/ros/actionlib/pull/171
flaw:
  phase: testing
  specificity: subject-specific
  architectural-location: application-specific
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: 2020-06-03
  detected-by: Alias Robotics
  detected-by-method: testing static
  date-reported: 2020-06-03
  reported-by: Alias Robotics
  reported-by-relationship: automatic
  issue: https://github.com/aliasrobotics/RVD/issues/2401
  reproducibility: always
  trace: ./src/actionlib/tools/library.py:132
  reproduction: See artifacts below (if available)
  reproduction-image: ''
exploitation:
  description: A code execution PoC exploit was built confirming its exploitability.
    PoC could be delivered remotely using common ROS SSH configurations and take control
    of the remote machine.
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: Not disclosed
mitigation:
  description: 'Use of yaml.safe_load() instead'
  pull-request: 'See https://github.com/ros/actionlib/pull/171 and https://github.com/ros/actionlib/pull/170'
  date-mitigation: '2020-08-21'

Metadata

Metadata

Assignees

No one assigned

    Labels

    ROS-IndustrialROS-Industrial package or resourcebanditcomponents softwareVulnerabilities in purely software robot components (e.g. a the ROS navigation stack)mitigatedrobot component: ROSROS-related vulnerabilities.severity: critical9.0 - 10.0static analysistestingvendor: Open Roboticsversion: jadeROS Jade Turtleversion: kineticROS Kinetic Kameversion: lunarROS Lunar Loggerheadversion: melodicROS Melodic Moreniaversion: noeticROS Noetic Ninjemys distrovulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions