IBL Software Engineering Visual Weather Product Delivery Service Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in IBL Software Engineering Visual Weather and its derived products, including NAMIS, Aero Weather, and Satellite Weather. The issue arises in the Product Delivery Service (PDS) component when specific server configurations enable the PDS pipeline to use the IPDS pipeline with Message Editor Output Filters activated. In these scenarios, an unauthenticated attacker can send requests that execute the IPDS pipeline with specially crafted Form Properties, allowing for the remote execution of arbitrary Python code. This vulnerability could lead to a complete system compromise, especially if Visual Weather services are running under a privileged user account, contrary to the recommended installation best practices.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected server, with a potential full system compromise, particularly if the application is running under a privileged user account.

Remediation

Users are advised to upgrade to Visual Weather versions 7.3.10 or higher, or 8.6.0 or higher. For temporary mitigation, disable PDS pipelines that use IPDS pipelines with Message Editor Output Filters enabled, ensure Visual Weather services are not run under a privileged user account, and restrict network access to the PDS pipeline endpoint to trusted IP ranges only.