Security of Java, NodeJS, Ruby and PHP all threatened by remote-code execution flaw
Easily exploited flaw identified in OpenAPI framework used by Microsoft, PayPal and others
An as-yet unpatched remote code execution flaw in the OpenAPI framework, also known as the Swagger APIs, could easily be exploited unless a patch is rushed out.
The disclosure was made this week as a module for the widely used Metasploit hacking tool was released making it easier for hackers to exploit the flaw - used by companies that build services using RESTful APIs, such as Microsoft, PayPal, Getty Images, Intuit and Apigee.
Swagger is an open source project to provide a standard, language-agnostic interface to REST APIs, which enables both humans and computers to discover and understand the capabilities of a service without access to source code, documentation, or through network traffic inspection.
Scott Davis, application security researcher at Rapid7, said that the disclosure of the flaw, CVE-2016-5641, "will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML [a human-readable data serialisation language] file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well".
Other code generation tools may also be vulnerable to parameter injection and could be affected by this approach. "By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service," he added.
He continued: "Within the Swagger ecosystem, there are fantastic code generators which are designed to automatically take a Swagger document and then generate stub client code for the described API. This is a powerful part of the solution that makes it easy for companies to provide developers with the ability to quickly make use of their APIs. The Swagger definitions are flexible enough to describe most RESTful API's and give developers a great starting point for their API client."
The security flaw identified is caused by code generators that do not take into account the possibility of a malicious Swagger definition document, which results in a classic parameter injection, he said, with a "new twist on code generation".
He added: "Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. This is achieved by the fact that some parsers/generators trust insufficiently sanitised parameters within a Swagger document to generate a client code base.
"On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client. On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs."
It is not yet known when a patch for the flaw will be released.