Thursday, September 14, 2017

Vulnerability Spotlight: YAML Parsing Remote Code Execution Vulnerabilities in Ansible Vault and Tablib

Vulnerabilities discovered by Cory Duplantis of Talos.

Talos is disclosing the presences of remote code execution vulnerabilities in the processing of Yet Another Markup Language (YAML) content in Ansible Vault and Tablib. Attackers can exploit these vulnerabilities through supplying malicious YAML content to execute arbitrary commands on vulnerable systems.


YAML is a data serialisation markup format which is designed to be readable for humans yet easily parsed by machines. Many tools and libraries have been developed to parse YAML data. The Python YAML parsing library PyYAML provides two API calls to parse YAML data: yaml.load and yaml.safe_load. The former API does not correctly sanitise YAML input which allows attackers to embed Python code to be executed within YAML content.

Applications which include the PyYAML library and call yaml.load and not yaml.safe_load are vulnerable to remote code execution vulnerabilities.

TALOS-2017-0305 Remote Code Execution Vulnerability in Ansible-Vault Library. (CVE-2017-2809)

Ansible provides an easy solution for automating IT and network based tasks. For ease of use these tasks are described in YAML. Ansible-Vault is a third party python library for viewing and modifying Ansible Vault files. The vulnerability exists in this third party library when viewing an encrypted vault file. When loading the encrypted YAML code the application calls the unsafe API call yaml.load. This vulnerability allows a malicious user to cause remote code execution in the context of the current user.

This third party python library is distinct from the core functionality of Ansible Vault provided by Ansible which is not subject to this vulnerability.

More technical details can be found in the Talos Vulnerability Report

TALOS-2017-0307 Remote Code Execution Vulnerability in Tablib. (CVE-2017-2810)

Tablib is a Python dataset library which allows programs to easily access, write and manage tabular data files. The library itself is widely used inside many applications including the django-import-export application.

The databook functionality of Tablib includes also includes a call to the unsafe API call yaml.load. This fails to correctly sanitise user supplied YAML code. A malicious user may include arbitrary code within YAML code included in a databook which can executed in the context of the current user.

More technical details can be found in the Talos Vulnerability Report


The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort rules: 42195-42196

We would like to thank to Dylan Ayrey for his collaboration on TALOS-2017-0305.

No comments:

Post a Comment