JVN#41119755
Movable Type XMLRPC API vulnerable to OS command injection
Critical
Overview
Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability.
Products Affected
- Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
- Movable Type 6.8.4 and earlier (Movable Type 6 Series)
- Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
- Movable Type Premium 1.48 and earlier
- Movable Type Premium Advanced 1.48 and earlier
【Updated on 2021 December 16】
When this advisory was first published on 2021 October 20, the affected versions were described as "Movable Type 7 r.5002 and earlier (Movable Type 7 Series)", "Movable Type 6.8.2 and earlier (Movable Type 6 Series)", "Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series)", "Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series)", "Movable Type Premium 1.46 and earlier" and "Movable Type Premium Advanced 1.46 and earlier". However, it was found that the fixes were not adequate, thus information under the section [Products Affected] was updated.
Description
Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability (CWE-78).
Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution.
【Updated on 2021 November 10】
As of 2021 November 10, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public and attacks exploting this vulnerability has been observed in the wild.
Impact
An arbitrary OS command may be executed by a remote attacker.
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
- Movable Type 7 r.5005 (Movable Type 7 Series)
- Movable Type 6.8.5 (Movable Type 6 Series)
- Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
- Movable Type Premium 1.49
- Movable Type Premium Advanced 1.49
Apply the workaround
If an update cannot be applied, applying the following workarounds to Movable Type configuration file mt-config.cgi may mitigate the impact of this vulnerability.
- In the case that XMLRPC API is not used or no longer in use:
- Restrict access to
mt-xmlrpc.cgionly to trusted connection source - If using as CGI/FCGI
- Delete
mt-xmlrpc.cgior remove execute permission tomt-xmlrpc.cgi
- Delete
- If using in PSGI
- Movable Type (Advanced) 6.2 or later and Movable Type Premium (Advanced)
- Set Movable Type Configuration Directive(s)
RestrictedPSGIApp xmlrpctomt-config.cgi
- Set Movable Type Configuration Directive(s)
- Movable Type (Advanced) 5.2 to Movable Type (Advanced) 6.1
- Set a sufficiently complex string in Movable Type Configuration Directive(s)
XMLRPCScriptused inmt-config.cgi
- Set a sufficiently complex string in Movable Type Configuration Directive(s)
- Movable Type (Advanced) 6.2 or later and Movable Type Premium (Advanced)
- Restrict access to
- In the case XMLRPC API is to be used:
- Restrict access to
mt-xmlrpc.cgionly to trusted connection source - If using in PSGI
- Set a sufficiently complex string in Movable Type Configuration Directive(s)
XMLRPCScriptused inmt-config.cgi
- Set a sufficiently complex string in Movable Type Configuration Directive(s)
- Restrict access to
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Six Apart Ltd. | Vulnerable | 2021/12/16 | Six Apart Ltd. website |
References
-
Information-technology Promotion Agency, Japan (IPA)
Security Updates Available for Movable Type (CVE-2021-20837)(in Japanese) -
LAC Co., Ltd.
[Alert] Observed attacks exploiting Movable Type vulnerability. Take immediate measures! (Text in Japanese)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Étienne Gervais, Charl-Alexandre Le Brun and Chatwork Co., Ltd. reported this vulnerability to Six Apart Ltd. and coordinated.
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Other Information
| JPCERT Alert |
JPCERT-AT-2021-0047 Alert Regarding Vulnerability (CVE-2021-20837) in Movable Type XMLRPC API |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20837 |
| JVN iPedia |
JVNDB-2021-000093 |
Update History
- 2021/10/21
- Information under the section [References] and [Other Information] was updated.
- 2021/11/10
- [Critical] indication and information under the section [References] were added, and information under the section [Description] was updated.
- 2021/12/16
- Information under the section [Products Affected], [Solution] and [Credit] was updated.
- 2021/12/16
- Six Apart Ltd. update status