Published:2022/08/24  Last Updated:2022/08/24

JVN#57728859
Movable Type XMLRPC API vulnerable to command injection

Overview

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability.

Products Affected

  • Movable Type 7 r.5202 and earlier (Movable Type 7 Series)
  • Movable Type Advanced 7 r.5202 and earlier (Movable Type Advanced 7 Series)
  • Movable Type 6.8.6 and earlier (Movable Type 6 Series)
  • Movable Type Advanced 6.8.6 and earlier (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.52 and earlier
  • Movable Type Premium Advanced 1.52 and earlier
The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.

Description

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.

Impact

An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

  • Movable Type 7 r.5301 (Movable Type 7 Series)
  • Movable Type Advanced 7 r.5301 (Movable Type Advanced 7 Series)
  • Movable Type 6.8.7 (Movable Type 6 Series)
  • Movable Type Advanced 6.8.7 (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.53
  • Movable Type Premium Advanced 1.53
Apply the workaround
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying the following mitigation to the products.
  • Disabe XMLRPC API function of Movable Type

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart Ltd. Vulnerable 2022/08/24 Six Apart Ltd. website

References

  1. Information-technology Promotion Agency, Japan (IPA)
    Security Updates Available for Movable Type (JVN#57728859) (in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Osaka University of Economics reported this vulnerability to Six Apart Ltd. and coordinated. Six Apart Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
And almost at the same time, SHIGA TAKUMA of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with Six Apart Ltd. under Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2022-0022
Alert Regarding Vulnerability in Movable Type XMLRPC API
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-38078
JVN iPedia JVNDB-2022-000064

Update History

2022/08/24
Information under the section [References] and [Other Information] was updated.