###########  Computest security advisory CT-2017-0712 #############

            Summary: Command execution on NAPALM controller from host
  Affected software: NAPALM
                CVE: -
      Reference URL: https://www.computest.nl/advisories/
                     CT-2017-0712_NAPALM.txt
  Affected versions: napalm-base >= 0.24.0 <= 0.24.2
                     napalm-iosxr <= 0.5.2

             Credit: Daan Keuper
Date of publication: July 12, 2017

During a summary code review of NAPALM, Computest found and exploited several
issues that allow a compromised host to execute commands on the NAPALM
controller and thus gain access to the other hosts controlled by that
controller.

This was not a full audit and further issues may or may not be present.

About NAPALM
-------------
NAPALM (Network Automation and Programmability Abstraction Layer with
Multivendor support) is a Python library that implements a set of functions to
interact with different router vendor devices using a unified API.

NAPALM supports several methods to connect to the devices, to manipulate
configurations or to retrieve data.

                                    - github.com/napalm-automation/napalm

Technical Background
--------------------
A big threat to a configuration management system like NAPALM, Ansible, Salt
Stack and others is compromise of the central node, or controller. If the
controller is compromised, an attacker has unfettered access to all hosts that
are controlled by the controller. As such, in any deployment, the central node
receives extra attention in terms of security measures and isolation, and
threats to this node are taken even more seriously.


Issue: Unsafe eval() when validating configurations
---------------------------------------------------
The validator allows for a number comparison using ‘<‘ and ‘>’. This is
handled by the compare_numeric() function in napalm-base/validator.py. The
function assumes that the value that is retrieved from the router is also a
number and continues to use the eval() function [1] for the actual comparison.
However, a compromised device can of course also return an arbitrary string,
which will be evaluated.

[1] https://github.com/napalm-automation/napalm-base/blob/develop/napalm_base/validate.py#L142

Issue 2: unsafe eval() in the IOS XR driver
-------------------------------------------
The eval() function is also used quite extensively in the IOS XR
driver[2][3][4][5][6][7][8][9][10]. Its use case seems to be to transform a
string, from the API, which contains ‘true’ or ‘false’ to a Python boolean.
When the router is compromised however, the string could contain an arbitrary
value that is passed to the eval() function. The difficulty in exploiting this
would be that the value is first passed to the title() function before it is
evaluated as Python code. The title() function capitalizes the first character
of each word in a string. We haven’t found a working bypass yet that would
allow for arbitrary code execution, however we suspect that an attacker who
invests more time into this would be able to create a working PoC.

[2] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L821
[3] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L952
[4] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L966
[5] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L968
[6] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L970
[7] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L1003
[8] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L1005
[9] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L1145
[10] https://github.com/napalm-automation/napalm-iosxr/blob/develop/napalm_iosxr/iosxr.py#L1368

Mitigation
----------
Users that are unable to update, can mitigate the issues by not using the '<'
or ' <' validation options and not use the IOS XR driver.

Resolution
----------
Users can update to version 0.24.3 of napalm-base and 0.5.3 of napalm-iosxr,
which fixes these vulnerabilities.

Conclusion
----------
The NAPALM project assumes that all nodes are playing nice. However, this
assumption does not hold in a situation where a node is compromised. The
project would benefit from a more defensive programming style, were values that
are returned from a node are considered hostile and addressed accordingly.

We would like to thank the developers of NAPALM for their quick response. The
mentioned vulnerabilities were fixed within 2 hours after our initial email!

Timeline
--------
2017-07-12  First contact with NAPALM developers
2017-07-12  NAPALM released a fix