Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Code Execution via malicious YAML configurations in some versions #5042

Closed
jburger opened this issue Oct 30, 2018 · 5 comments
Closed
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving

Comments

@jburger
Copy link

jburger commented Oct 30, 2018

Description

An authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

If this issue is of concern to you and your team, we strongly recommend upgrading to version 2018.9.1.

CVE-2018-18850

Affected versions

Octopus Server:
versions 2018.8.0-2018.9.0, inclusive.

Mitigation

In any version affected by this issue, we recommend upgrading to version 2018.9.1.

Workarounds

In situations where upgrade is not possible, running the octopus server built in worker as a service account with limited privileges may help to minimize the potential impact of such an occurrence, however this will not prevent attackers from attempting to chain other attacks against the server.

https://octopus.com/docs/administration/security/hardening-octopus#prevent-user-provided-scripts-from-doing-harm

https://octopus.com/docs/administration/workers/built-in-worker#running-tasks-on-the-octopus-server-as-a-different-user

@jburger jburger added kind/bug This issue represents a verified problem we are committed to solving area/security labels Oct 30, 2018
@jburger jburger self-assigned this Oct 30, 2018
@jburger
Copy link
Author

jburger commented Oct 30, 2018

@attritionorg
Copy link

@jburger that is 404 or requires auth. is there a copy of that somewhere free for anyone to see?

@matt-richardson
Copy link
Contributor

@attritionorg - that's just a link to the internal trello card we use for tracking. Nothing interesting.

@attritionorg
Copy link

@matt-richardson gotcha thanks!

@jburger jburger closed this as completed Nov 4, 2018
@lock
Copy link

lock bot commented Feb 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Feb 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving
Projects
None yet
Development

No branches or pull requests

3 participants