Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38792: Pin exotel dependency to 0.1.5 due to security issue in 0.1.6 by anroots-tw · Pull Request #931 · jertel/elastalert2

The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party.

CVE
Open in Source
#windows#git#backdoor#docker

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 8 Commits 2 Checks 1 Files changed

Conversation

Description

Version 0.1.6 of exotel package was released 2 hours ago (with the last release 0.1.5 happening in 2017).

Version 0.1.6 has malicious code in setup.py. Lock version of the package to last known good, 0.1.5 as a hotfix.

Ref https://pypi.org/project/exotel/0.1.6/#history

Checklist

  • I have reviewed the contributing guidelines.
  • I have included unit tests for my changes or additions.
  • I have successfully run make test-docker with my changes.
  • I have manually tested all relevant modes of the change in this PR.
  • I have updated the documentation.
  • I have updated the changelog.

Questions or Comments

Thanks for submitting this. I reviewed 0.1.6 and I do see the requests to two Russian-owned domains, with Windows-hosts being the infection target. Are you aware of any known CVE for this?

I’ve sent a request to PyPI to have the Exotel 0.1.6 removed. Thanks again for raising this so quickly.

We’ve also notified PyPi about the issue

@jertel Since the dependency is unmaintained and only contains about 5 post request functions, maybe it’s worth dropping the dependency entirely and implementing support directly inside elastalert itself?
Additionally the package is only used inside the exotel alerter, so maybe a suitable spot for the code would be inside that alerter.
A side discussion here is maybe making alerter dependencies optional? Then unless an alerter type is specifically used, the dependencies wouldn’t even get pulled in, thereby reducing chances of these kinds of incidents affecting all users?

Implementing the Exotel integration directly into ElastAlert2 exotel.py file is fine with me, if you are up to submitting the PR. Optional dependencies would reduce risk but will still cause code scanners to trigger, simply by having the python code exist, even if the main codebase didn’t include that module. So to avoid the code scanners from triggering you’d have to dynamically pull down the alerters from the Internet. I’m not opposed to the idea but it would be a significant change.

Version 0.1.6 got deleted just now.

Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI.
/–/
At this time, the malicious releases that we are aware of are:- exotel==0.1.6
https://twitter.com/pypi/status/1562442188285308929

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE