Description
Multiple Local Code Executions (using YAML)
AIT-Core uses the YAML Python library (pyyaml) in version 5.3.1, which is vulnerable to Command Execution vulnerabilities. By crafting a malicious YAML file, the bad actors can achieve a Code Execution on the target system that runs AIT-Core. Figure 16 shows an example of a malicious YAML file containing a command that will be executed upon loading that file.
Figure 16: Example of a malicious YAML file.
To demonstrate this, we have created a simple Python script that imports the TLM module and attempts to read Telemetry definitions from a YAML file (see Figure 17).
Figure 17: Test script that loads TM definitions.
Once the script is executed, the AIT-Core TLM module loads the file, and due to YAML vulnerability, the command included in the malicious file is executed on the target system (see Figure 18).
Figure 18: Code Execution by trying to load TM definitions.
As in the previous case, AIT-Core extensively uses the YAML library. If a bad actor can access any of the YAML files used by AIT-Core or the main configuration, they can exploit the Command Execution vulnerability. Figure 19 shows a snippet of the main AIT-Core configuration file referring to other YAML files and the framework areas this vulnerability affects.
Figure 19: Other areas of concern
Recommendations
PyYAML offers a safe_load method that uses the SafeLoader class, which is recommended in version 6.0 and later. This method only uses standard YAML tags and avoids constructing arbitrary Python objects. Using SafeLoader ensures you’re only reading data objects composed of Python primitives and basic data structures, which is usually sufficient. If you require state and behaviour, PyYAML can derive from the YAMLObject class to create safe, user-defined types recognisable by SafeLoader.