JVN#41119755: Movable Type XMLRPC API vulnerable to OS command injection

Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability (CWE-78).
Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution.

【Updated on 2021 November 10】
As of 2021 November 10, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public and attacks exploting this vulnerability has been observed in the wild.

Impact

An arbitrary OS command may be executed by a remote attacker.

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

• Movable Type 7 r.5005 (Movable Type 7 Series)
• Movable Type 6.8.5 (Movable Type 6 Series)
• Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
• Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
• Movable Type Premium 1.49
• Movable Type Premium Advanced 1.49

Apply the workaround
If an update cannot be applied, applying the following workarounds to Movable Type configuration file mt-config.cgi may mitigate the impact of this vulnerability.

• In the case that XMLRPC API is not used or no longer in use:
  • Restrict access to mt-xmlrpc.cgi only to trusted connection source
  • If using as CGI/FCGI
    • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
  • If using in PSGI
    • Movable Type (Advanced) 6.2 or later and Movable Type Premium (Advanced)
      • Set Movable Type Configuration Directive(s) RestrictedPSGIApp xmlrpc to mt-config.cgi
    • Movable Type (Advanced) 5.2 to Movable Type (Advanced) 6.1
      • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi
• In the case XMLRPC API is to be used:
  • Restrict access to mt-xmlrpc.cgi only to trusted connection source
  • If using in PSGI
    • Set a sufficiently complex string in Movable Type Configuration Directive(s) XMLRPCScript used in mt-config.cgi

For more information, refer to the information provided by the developer.

Products Affected

• Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
• Movable Type 6.8.4 and earlier (Movable Type 6 Series)
• Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
• Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
• Movable Type Premium 1.48 and earlier
• Movable Type Premium Advanced 1.48 and earlier
  The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.

【Updated on 2021 December 16】
When this advisory was first published on 2021 October 20, the affected versions were described as “Movable Type 7 r.5002 and earlier (Movable Type 7 Series)”, “Movable Type 6.8.2 and earlier (Movable Type 6 Series)”, “Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series)”, “Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series)”, “Movable Type Premium 1.46 and earlier” and “Movable Type Premium Advanced 1.46 and earlier”. However, it was found that the fixes were not adequate, thus information under the section [Products Affected] was updated.