[Japanese]

JVNDB-2021-000093

Movable Type XMLRPC API vulnerable to OS command injection

Overview

Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability (CWE-78).
Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution.

[Updated on 2021 November 10]
As of 2021 November 10, a Proof-of-Concept (PoC) code exploitning this vulnerability has already been made public and attacks exploting this vulnerability has been observed in the wild.

Étienne Gervais, Charl-Alexandre Le Brun and Chatwork Co., Ltd. reported this vulnerability to Six Apart Ltd. and coordinated.
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Six Apart, Ltd.
  • Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
  • Movable Type 6.8.4 and earlier (Movable Type 6 Series)
  • Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
  • Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.48 and earlier
  • Movable Type Premium Advanced 1.48 and earlier

The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.

[Updated on 2021 December 16]
When this advisory was first published on 2021 October 20, the affected versions were described as "Movable Type 7 r.5002 and earlier (Movable Type 7 Series)", "Movable Type 6.8.2 and earlier (Movable Type 6 Series)", "Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series)", "Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series)", "Movable Type Premium 1.46 and earlier" and "Movable Type Premium Advanced 1.46 and earlier". However, it was found that the fixes were not adequate, thus information under the section [Products Affected] was updated.
Impact

An arbitrary OS command may be executed by a remote attacker.
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
  • Movable Type 7 r.5005 (Movable Type 7 Series)
  • Movable Type 6.8.5 (Movable Type 6 Series)
  • Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
  • Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.49
  • Movable Type Premium Advanced 1.49

[Apply the workaround]
If an update cannot be applied, applying the following workarounds to Movable Type configuration file mt-config.cgi may mitigate the impact of this vulnerability.
  • In the case that XMLRPC API is not used or no longer in use:
    • Restrict access to mt-xmlrpc.cgi only to trusted connection source
    • If using as CGI/FCGI
      • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
    • If using in PSGI
      • Movable Type (Advanced) 6.2 or later and Movable Type Premium (Advanced)
        • Set Movable Type Configuration Directive(s) RestrictedPSGIApp xmlrpc to mt-config.cgi
      • Movable Type (Advanced) 5.2 to Movable Type (Advanced) 6.1
        • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi
  • In the case XMLRPC API is to be used:
    • Restrict access to mt-xmlrpc.cgi only to trusted connection source
    • If using in PSGI
      • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi


For more information, refer to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20837
References

  1. JVN : JVN#41119755
  2. National Vulnerability Database (NVD) : CVE-2021-20837
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Movable Type (JVN#41119755) (in Japanese)
  4. JPCERT REPORT : Alert Regarding Vulnerability (CVE-2021-20837) in Movable Type XMLRPC API
Revision History

  • [2021/10/20]
      Web page was published
  • [2021/11/11]
      Overview was added
  • [2021/12/17]
      Affected Products were added
      Solution was modified
      Credit was added
      Vendor Information was modified