GRID::Machine Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability has been identified in GRID::Machine versions through 0.127 for Perl. This issue arises from unsafe deserialization in the Remote Procedure Call (RPC) protocol over SSH. The vulnerability allows a compromised or malicious remote host to execute arbitrary code on the client by embedding Perl code in the response, which is then deserialized and executed silently using eval().
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the client side, triggered by responses from a compromised remote host.
Reproduction
To reproduce this vulnerability, establish a connection to a remote host using GRID::Machine over SSH. The remote host can then send a response that includes embedded Perl code in a Dumper-formatted payload. When this response is deserialized by the client's read_operation() function, the embedded code is executed on the client silently, without any errors or indications of failure.
Remediation
No upstream fix is available, and GRID::Machine should not be used with untrusted remote hosts.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.