Published:2021/10/20  Last Updated:2021/12/16

JVN#41119755
Movable Type XMLRPC API vulnerable to OS command injection
Critical

Overview

Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability.

Products Affected

  • Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
  • Movable Type 6.8.4 and earlier (Movable Type 6 Series)
  • Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
  • Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.48 and earlier
  • Movable Type Premium Advanced 1.48 and earlier
The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.

【Updated on 2021 December 16】
When this advisory was first published on 2021 October 20, the affected versions were described as "Movable Type 7 r.5002 and earlier (Movable Type 7 Series)", "Movable Type 6.8.2 and earlier (Movable Type 6 Series)", "Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series)", "Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series)", "Movable Type Premium 1.46 and earlier" and "Movable Type Premium Advanced 1.46 and earlier".  However, it was found that the fixes were not adequate, thus information under the section [Products Affected] was updated.

Description

Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability (CWE-78).
Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution.

【Updated on 2021 November 10】
As of 2021 November 10, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public and attacks exploting this vulnerability has been observed in the wild.

Impact

An arbitrary OS command may be executed by a remote attacker.

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

  • Movable Type 7 r.5005 (Movable Type 7 Series)
  • Movable Type 6.8.5 (Movable Type 6 Series)
  • Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
  • Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
  • Movable Type Premium 1.49
  • Movable Type Premium Advanced 1.49

Apply the workaround
If an update cannot be applied, applying the following workarounds to Movable Type configuration file mt-config.cgi may mitigate the impact of this vulnerability.

  • In the case that XMLRPC API is not used or no longer in use:
    • Restrict access to mt-xmlrpc.cgi only to trusted connection source
    • If using as CGI/FCGI
      • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
    • If using in PSGI
      • Movable Type (Advanced) 6.2 or later and Movable Type Premium (Advanced)
        • Set Movable Type Configuration Directive(s) RestrictedPSGIApp xmlrpc to mt-config.cgi
      • Movable Type (Advanced) 5.2 to Movable Type (Advanced) 6.1
        • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi
  • In the case XMLRPC API is to be used:
    • Restrict access to mt-xmlrpc.cgi only to trusted connection source
    • If using in PSGI
      • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart Ltd. Vulnerable 2021/12/16 Six Apart Ltd. website

References

  1. Information-technology Promotion Agency, Japan (IPA)
    Security Updates Available for Movable Type (CVE-2021-20837)(in Japanese)
  2. LAC Co., Ltd.
    [Alert] Observed attacks exploiting Movable Type vulnerability. Take immediate measures! (Text in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Étienne Gervais, Charl-Alexandre Le Brun and Chatwork Co., Ltd. reported this vulnerability to Six Apart Ltd. and coordinated.
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert JPCERT-AT-2021-0047
Alert Regarding Vulnerability (CVE-2021-20837) in Movable Type XMLRPC API
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20837
JVN iPedia JVNDB-2021-000093

Update History

2021/10/21
Information under the section [References] and [Other Information] was updated.
2021/11/10
[Critical] indication and information under the section [References] were added, and information under the section [Description] was updated.
2021/12/16
Information under the section [Products Affected], [Solution] and [Credit] was updated.
2021/12/16
Six Apart Ltd. update status