alphaspirit - Fotolia

Rapid7 discloses remote code execution flaw in Swagger

Rapid7 researchers warn businesses of remote execution vulnerability in the Swagger programming tool

Security firm Rapid7 has disclosed a security vulnerability in the OpenAPI Specification or Swagger Code Generator for NodeJS, PHP, Ruby and Java.

Attackers could exploit the vulnerability to enable remote code execution, according to Rapid7 researchers, who have proposed changes to the specification to fix the vulnerability.

The researchers have also supplied a proposed pat to the co-ordination centre of the computer emergency response team (Cert) for the Software Engineering Institute (SEI) in the US, and has published a module for the Metasploit penetration testing framework.

In January 2016, the Swagger Specification was donated to the Open API Initiative (OAI) and is the foundation of the OpenAPI Specification, commonly known as Swagger.

The vulnerability disclosure is in accordance with Rapid7’s disclosure policy of publishing an advisory detailing a vulnerability 60 days after initial attempts to contact those responsible for the code.

For companies eager to provide value to the increasing need for scalable application programming interface (API) deployment and testing, using a spec that can ease and quicken the development, testing and deployability of service will be of high value.

However, Rapid7 researchers said in following such an API documentation/definition system, abuse of the trust in the tools and specification that generate services should be considered.

According to the researchers, maliciously crafted Swagger documents can be used to dynamically create API clients and servers with embedded arbitrary code execution.

Read more about responsible disclosure

This is achieved by the fact that some parsers/generators trust insufficiently sanitised parameters within a Swagger document to generate a code base, they said.

On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.

On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mock ups and testing specs.

Mitigations for all issues, the Rapid7 researchers said, include properly escaping parameters before injecting, while taking into account the context the variable(s) are used in inline code creation.

Mitigations also include what sanitisation efforts are in place to ensure the context of trust for an API specification can maintain a level of code creation free for remote code execution in the known, easily avoidable cases.

Read more on IT for telecoms and internet organisations