jQuery, Javascript vulnerability of the month

Artwork by Marco Sciortino

Here we are! Guess what’s vulnerable again?
On April 10th 2020 it was made public that a vulnerability has been exploited in the most popular Javascript library ever implemented: jQuery 3.4.1.

Why is jQuery 3.4.1 vulnerable?

Vulnerability score: 5
Platform: Javascript
Components: jQuery, all versions before 3.5.0

When jQuery is invoked, it reads the HTML document and returns requested fragments of it.
Now, while reading the document it might find that the one or more requested fragments are not in the correct format, so it tries to translate them. Although most of the times the translation is correctly performed, it’s been demonstrated that in particular cases the conversion (or parsing) could lead to an XSS cross-site scripting vulnerability.

An XSS cross-site scripting is a type of code vulnerability that allows attackers to insert malicious code into the web pages viewed by other users. It might be exploited to steal information such as access tokens or other sensitive information. This is what a criminal or Black Hat hacker would do.

This is what a criminal or Black Hat hacker would do. White Hat hackers, on the other hand, would behave ethically and use their software White Hat hackers, on the other hand, would behave ethically. Using their software engineering knowledge, White Hat hackers would show how to exploit a vulnerability: publish useful information about it to make sure both users and owners of the vulnerable library could take actions to prevent attacks.

What actions are required to safely update?

The first thing to know is that all the old versions of jQuery have some sort of vulnerability.  Up until April 10th, version 3.4.1 was the only safe version available.  Fortunately, the new minor release 3.5.0 has been published to fix the XSS security vulnerability.

As suggested in the jQuery release note, updating to this latest version might break your code as, to prevent the abuse of this vulnerability, the HTML element phrase is no longer converted.
Therefore, a code review might be in order.

There is a lot of time-consuming effort involved in staying on track with all the latest code vulnerabilities as they are discovered but, fortunately, Meterian can help you with that.

When added to the CI/CD pipeline of any application, Meterian will automatically detect such vulnerabilities, or even fix them for you, and it will help you avoid the risk of an attack before it becomes a problem.

Beat open source vulnerabilities with Meterian.

jQuery, Javascript vulnerability of the month

Vulnerability Focus: Javascript

Welcome back to Meterian’s next Vulnerability Focus report edition. This week we are talking about Javascript vulnerabilities which need to be addressed. Both have been published in recent months and have a medium severity threat. The first vulnerability could result in a cross-site scripting attack whilst the second is to do with a cryptographic issue. There are over 1.6 billion websites in the world, and JavaScript is used on 95% of them, be sure to check if you could be affected.

  • CVE-2019-12043: there is a vulnerability in remarkable 1.7.1 affecting the unknown processing in the library lib/parser_inline.js of the component URL Handler. Manipulation of this component can lead to cross-site-scripting.
  • CVE-2019-9155: OpenPGP.js has a cryptographic issue which could allow attackers to conduct an invalid curve attack and gain the victim’s ECDH private key

CVE-2019-12043

Vulnerability Score: 6.1

Platform: Javascript

Components: remarkable version 1.7.1

Read up Javascript users! This vulnerability was posted last year in 2019, yet because of the significant amount of people using Javascript for their web apps, we thought it would be useful to inform people who might not have had time to address the issue. 

This vulnerability has been found in remarkable 1.7.1 and is considered problematic. The component mishandles URL filtering, which allows attackers to trigger an XSS attack via unprintable characters.

Cross site scripting is an injection of malicious code into a trusted web app. As described above, this happens when the user input is not sufficiently validated either on the client or server side. The scripts injected will have malware which then allows the hacker to do a series of exploits. What is more concerning is that the attack could then alter the appearance of the web app and also commence attacks on users visiting that site.

An image of a computer with three people huddled around it, pointing at the screen.
https://unsplash.com/photos/2FPjlAyMQTA

The solution for this vulnerability is to replace remarkable 1.7.1 with versions 1.7.4 to 2.0.0.

CVE-2019-9155

Vulnerability Score: 5.9

Platform: Javascript openpgp

Components: openpgp versions up to 4.2.0 included

This Javascript vulnerability was published in September 2019 and has a medium severity score of 5.9. 

The vulnerability is a cryptographic issue in OpenPGP.js up to and including 4.2.0. This is a library in Javascript and therefore can be used on nearly any device. Users do not have to install a gpg on their machines in order to use this library, and therefore it can be reused in other projects that have browser extensions or server apps. Its main function is to sign, encrypt, decrypt and verify any kind of text, specifically emails. 

The problem allows hackers, who can provide forged messages and get feedback on whether decryption of these messages succeeded, to eventually figure out and extract the victim’s private key.

An image of a key.
https://unsplash.com/photos/Nel8STCcWy8

To avoid this type of attack in the future, developers should identify sensitive data and encrypt them, even if stored on a hard drive. There should also be an effort to ensure the data cannot be overwritten by overwriting sensitive memory locations straight after the data is no longer needed in memory. 

In regards to this specific vulnerability, it is suggested to upgrade openpgp to version 4.3.0 or above. 

That is it from us…for now! Make sure to spread the word on these Javascript vulnerabilities in order to help protect your apps or the apps you develop. Read also our post about javascript vulnerabilities and remote code execution

As you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Javascript

Attention! New .NET Vulnerabilities

4min read

Image of dark room with an open door. Label on the left saying 'Vulnerabilities .NET'

Greetings App Sec community! Meterian is back with some .NET vulnerabilities which need some attention. Both these vulnerabilities are of a medium to high threat nature, so make sure to give this a read, it’ll be worth your while. The first case deals with a cross-site scripting vulnerability, whilst the second can cause a core denial of service issue. Don’t let hackers use this as a backdoor to your systems and networks. Stay protected people!

  • CVE-2019-1301: .NET Core suffers from a denial of service vulnerability when it improperly handles web requests.
  • CVE-2019-12562: There is stored cross-site scripting vulnerability in DotNetNuke (DNN) versions before 9.4.0, allowing attackers to store and embed malicious script into the administration notification page.

CVE-2019-1301

Vulnerability Score: 7.5/HIGH

Platform: .NET

Components: 

Affected Versions: 

  • .NET Core  / Microsoft.NetCore.App: 2.1.0-2.1.12 or 2.2.0-2.2.6
  • System.Net.Sockets: 4.3.0

The first .NET vulnerability we bring to your urgent attention is a denial of service vulnerability which occurs when .NET Core improperly handles web requests. The affected versions are in any .NET Core based application running on .NET Core 2.1.0 to 2.1.12 or 2.2.0 to 2.2.6, and System.Net.Sockets 4.3.0. This is regarded as a high threat to security and should be tended to immediately.

How can you confirm if your .NET application is affected? Run the dotnet –info command to see the list of the versions you have installed. You will then see output as shown below:

Lines of code which show the if your .NET application is affected.
https://github.com/dotnet/announcements/issues/121

If you see that you have a version of .NET Core which is less than 2.1.13 or less than 2.2.7, then unfortunately you are vulnerable. The same applies if you are using the meta-package “Microsoft.NETCore.App”, with the same version range. Please note that this also applies to the package System.Net.Sockets version 4.3.0.

What is .NET Core? It is an open source, development platform which is maintained by Microsoft and the .NET community on GitHub. It can be used to build device, cloud and IoT applications. 

Why is this vulnerability such a threat? Firstly, the attacker who is successful in the exploit of this vulnerability would use the denial of service against the .NET Core web application. Not only can this vulnerability be exploited remotely, but also without authentication of the user-cum-attacker. A denial of service attack (DoS) is focused on making a resource unavailable for the purpose of its design. The unavailability of a resource can come in many forms: manipulating network packets, programming, logical or resource handling vulnerabilities. Sometimes the attacker may execute arbitrary code to access critical information or execute commands on the server. Generally, this type of attack would cause response delays, large-scale losses, interruption to services and therefore an impact on availability. 

So how can you fix this issue? It is recommended to install the latest version of .NET Core but it depends on the versions which you have already installed. You may need to update if you have either version 2.1 (upgrade at least to 2.1.13) or 2.2 (upgrade at least to 2.2.7). If you are using the meta-package, upgrade the meta-package following the same version numbering. Also, if you are using System.Net.Sockets, please upgrade to version 4.3.1

CVE-2019-12562

Vulnerability Score: 6.1/MEDIUM

Platform: .NET

Component: DotNetNuke

Affected Versions: up to 9.4.0

You read right.  DotNetNuke (DNN) has a cross-site scripting vulnerability before versions 9.4.0 which is allowing remote attackers to store and embed malicious script into the admin notification page. The success of this exploit occurs when an admin user visits a notification page with stored cross-site scripting. 

A little information on DNN. First of all, it is a program that runs on Microsoft ASP.NET. It is also a framework, meaning it is a program designed to be extended. When you install DNN it can allow the creation of thousands of individual portals. These portals can then display pages and the pages display modules. More importantly, DNN is an open source web content management system meaning many businesses around the world rely on it for organisational purposes. DNNSoftware.com has over 1million registered members since 2013 and is used on nearly 750,000 websites globally. This might illuminate how many people could be affected by this vulnerability and why this needs urgent attention to avoid getting hacked.

The severity of this vulnerability is emphasized through the fact that stored cross site-scripting is the most dangerous type of cross-site scripting. The exploit could be used to perform any action that has administrator privileges. This includes: managing content, adding users, uploading backdoors to the server and more. 

Once this vulnerability had been detected it was reported to the DNN Software Security Department who have fixed the problem and released a patch. Users should update to the latest version 9.4.0 of DNN to avoid any security holes within their systems and networks. 

That is it from us…for now! Make sure to spread the word on these .NET vulnerabilities in order to help protect your apps or the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Attention! New .NET Vulnerabilities

Read up on more Node.Js Vulnerabilities!

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack. 

  • CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.
  • CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets. 

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus,  the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above. 

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Read up on more Node.Js Vulnerabilities!

New Python Vulnerabilities!

Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

  • CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
  • CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations. 

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice.   In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.  

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!'
https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab 

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py. 

An image displaying the lines of code which show where the vulnerability was found.
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed.
https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher.  This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher.  NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’).  Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later.  You can verify the code here

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!

New Java Vulnerabilities!

4min read

Attention to all Java users! Yes, we are back with a brand new set of Java vulnerabilities that I know you would like to get some juicy info on. During September 2019, two Java vulnerabilities have been discovered within the Apereo CAS versions before 6.1.0-RC5 and the Apache Tapestry versions between 5.4.0 to 5.4.3. The former open source vulnerability has been given a score of 8.1 whilst the later a higher score of 9.8 in regards to severity. So hurry, read up and don’t waste any time. You could be affected!

  • CVE-2019-10754 Apereo CAS (org.apereo.cas:*) components could allow a remote authenticated malicious user to obtain sensitive information, caused by the use of weak RandomStringUtils PRNG algorithm. 
  • CVE-2019-0195 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.

CVE-2019-10754 

Vulnerability Score: 8.1 / HIGH

Platform: Java

Component: org.apereo.cas (Apereo CAS) 

Affected Versions: versions before 6.1.0-RC5

That’s right folks! Java has another vulnerability. Due to multiple classes using Apereo CAS (before the release of 6.1.0-RC5) and making use of apache commons-lang3 RandomStringUtils for token and ID generation, this has made them predictable and resulted in a cryptography weakness.

Apereo CAS is an open well-documented protocol, as well as an open-source Java server component. It provides support for multiple protocols (CAS, SAML, OAuth, OpenID) and is a library for clients such as Java, .NET, PHP, Perl, Apache, uPortal and more! Apereo’s mission is to help educational organizations ‘collaborate to foster, develop, and sustain open technologies and innovation to support learning, teaching and research’.

For example, org.apereo.cas:cas-server-support-simple-mfa is a package that allows Apereo CAS to act as a multifactor authentication provider by itself. This generates tokens and allows them to be sent to end-users via pre-defined communication channels such as email or text message. Please also note that this vulnerability affects multiple components of the Apereo CAS framework. 

So what is the threat? Well, the affected versions of this package are vulnerable to Insecure Randomness, as it relies on apache commons-lang3 RandomStringUtil  which can produce predictable results. So, this could allow an attacker to generate their own unique Ticket ID due to insufficient randomness. In other words, the attacker could guess the encryptionSecret used within GenerateJwtCommand and allow them to impersonate a user. This also means the attacker will have access to sensitive information caused by the use of the weak RandomStringUtils PRNG algorithm. 

Image showing user communicating with the server, and the hacker impersonating the user.

But don’t fret. There is a solution. It has been recommended to upgrade org.apereo.cas to version 6.1.0-RC5 or higher.

Java users, don’t give cyber criminals the chance to access your data. Act fast and upgrade org.apereo.cas! 

CVE-2019-0195

Vulnerability Score: 9.8 / CRITICAL

Platform: Java

Component: org.apache.tapestry (Apache Tapestry)

Affected Versions: versions 5.4.0 to 5.4.3.

We are not done yet folks! We have one more Java vulnerability to inform you guys on. Within the Apache Tapestry versions 5.4.0 to 5.4.3, the manipulating classpath asset file URLs allow an attacker to guess the path of a known file in the classpath and, as a result, download it. This was discovered on the 16/09/19 by Thiago H. de Paula Figueiredo.

The Apache Tapestry is an open-source framework for creating web applications in Java or other JVM languages. It also complements and builds upon standard Java Servlet API and works in any application server. Apache Tapestry has a long history. It has the oldest code, dating all the way back to 2000. This has resulted in many releases; developers now concentrate on Tapestry 5 as opposed to 3 and 4. 

What is tapestry.hmac-passphrase you say? This symbol is used to configure hash-based message authentication of Tapestry data stored in forms, or in the URL. In other words, your application is less secure and therefore more vulnerable to denial-of-service attacks. Especially when this symbol is not configured.

With various techniques, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the  tapestry.hmac-passphrase configuration symbol, then they could use it to craft a Java deserialization attack, thus running a malicious injected Java code. 

Image showing a hacker guessing a file location, downloading the pass phrase and a computer showing it is has been hacked.

The recommended mitigation for this vulnerability has been suggested to upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x version. 

That is it from us…for now! Make sure to spread the word on these critically-rated Java vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so we recommend you regularly scan your code repositories for new known vulnerabilities. Don’t get caught off guard!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Java Vulnerabilities!

Treasure your Ruby apps? Protect from unauthorised access immediately

5min read

Image of thief climbing out of laptop shining flashlight on Ruby icon, titled Vulnerability Focus: Ruby.

It’s that time of the week people. Meterian is back with information on a brand new set of vulnerabilities! We once again turn our heads to focus on two Ruby vulnerabilities. The first being found within the Ruby makandra consul gem, and the second being located within the Airbrake Ruby notifier 4.2.3. Both these open-source vulnerabilities are given a 9.8 severity score on NVD, so don’t waste any time –  read up, you could be affected!

  • CVE-2019-16377 The Ruby makandra consul gem for all versions prior to and including 1.0.2 has an Incorrect Access Control vulnerability. This can lead to unauthenticated access to certain controller actions.
  • CVE-2019-16060 The Airbrake Ruby notifier version 4.2.3 mishandles the blacklist_keys configuration option and may therefore may therefore disclose passwords to unauthorized actors.

CVE-2019-16377

Vulnerability Score: 9.8

Platform: Ruby

Component: consul gem

Affected Versions: <= 1.0.2

Yes, you heard right. A vulnerability has indeed been detected within the Ruby makandra consul gem for all versions prior to and including 1.0.2. It was discovered by Toby Craze (github id:kratob) on 23/09/19. We are afraid to be the bearer of bad news, but this serious security flaw will affect an unknown function of the component Access Control.

A little context: makandra has been working exclusively with Ruby on Rails since 2007. They are a team of Ruby developers and Linux system engineers based in Germany. Makandra are constantly using open-source software and security patches are applied to the systems they use on a weekly basis. During this time, it has successfully delivered more than 100 Rails projects on more than 90 servers, indicating the amount of users that are at risk of this security flaw. This security issue is located within the consul. For those who don’t know, the consul gem is an authorisation solution for Ruby on Rails and it uses scopes to control what a user can see or edit.

So what is the problem? When a controller has multiple power directives, the ‘:only’ and ‘:except’ of the last directive is applied to all directives. By sending a specially-crafted request, this can lead to an attacker gaining unauthorized access to certain controller actions. With the manipulation of an unknown input, comes a privilege escalation vulnerability. Unfortunately, the impact is negative on confidentiality, integrity and availability. Below is what the affected code would look like.

https://github.com/makandra/consul/issues/49

In this example of code, the powers ‘:foo’ and ‘:bar’ are only checked for the #index action. The other actions were left unprotected by powers checks.

The solution is simple. Upgrade to the latest version of the makandra consul gem (1.0.3. or later), which is available from the consul GIT Repository. or via rubygems. Act fast to get rid of this security bug from your codebases and apps! You could be affected!

CVE-2019-16060

Vulnerability Score: 9.8

Platform: Ruby

Component: airbrake-ruby gem

Affected Versions: 4.2.3

Attention Ruby users! The Airbrake Ruby notifier 4.2.3 has mishandled the blacklist_keys configuration option which could result in a very real threat of sensitive data being disclosed to unauthorized actors (e.g password or credentials dumping). What are blacklist_keys? This specifies which keys in the payload should be filtered. Before sending an error, filtered keys will be substituted with the [Filtered] label.

Image of computer, displaying a undisclosed User Name and Password credentials. They are being fished with by a hook. This symbolises the access to sensitive data.
Image from https://www.howtogeek.com/343947/how-to-check-if-your-password-has-been-stolen/

Airbrake is a plain Ruby notifier gem that is used for integrating apps with Airbrake; it is the leading exception reporting service which provides minimalist API, enabling the notifier to send any Ruby exception to the Airbrake dashboard.  An exception is an event occurring during the execution of a program that disrupts the normal flow of the program’s instructions.  When an uncaught exception occurs, Airbrake could potentially release data to the Airbrake server.

The Airbrake dashboard provides easy categorization, searching, and prioritization of exceptions so that when errors occur, your team can quickly determine the root cause – this allows users to easily review errors, tie an error to an individual piece of code, and trace the cause back to recent changes.

So, what is the problem you say? A data-breach vulnerability–this is due to the mishandling of the blacklist_keys configuration option–within Airbrake Ruby 4.2.3 prevents user data from being filtered prior to sending to Airbrake. In other words, the vulnerability allows a remote attacker to access sensitive information on a targeted system. This compromised data could be user passwords or card payment details, which means an app could leak them  unknowingly; if left untreated, this could very well be the fatal zero-day vulnerability for a business or organization. 

To fix this vulnerability, users must upgrade to 4.2.4 or after. But hurry, as you might be at risk of attackers leaking important confidential data!

That is it for this round folks! Make sure to spread the word on these critically-rated Ruby vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Treasure your Ruby apps? Protect from unauthorised access immediately

Vulnerability Focus: PHP

5min read

Image of thief climbing out of laptop shining flashlight on PHP icon, titled Vulnerability Focus: PHP.

Listen up, app sec community – Meterian has an exciting update! We have a new addition to our family of languages for which our vulnerability scanning solution operates on. Drumroll please… it’s PHP. This means another layer of defense for your apps’ open-source dependencies to  shield them against malicious exploits. To commemorate this special day, we have written on 2 high-priority PHP vulnerabilities which will undoubtedly make an interesting read!

  • CVE-2019-9081 A vulnerability in the Illuminate component of Laravel Framework 5.7.x. could result in a remote cyber attack impacting confidentiality, integrity and availability in the process of web development.
  • CVE-2019-14933 A CSRF vulnerability in the Bagisto framework v0.1.5 could lead to attackers removing or manipulating important functionalities which will cause mass denial of services within an application.

CVE-2019-9081 

Vulnerability Score: Critical––9.8 (CVSS v3.0)

Platform: PHP

Component: laravel/laravel

Affected versions: 5.7.0 – 5.7.27

Attention to all PHP programmers! Read up, this is important stuff. On the 24/02/19, a vulnerability was found in the Illuminate component of Laravel Framework 5.7.x., a PHP development framework based on PHP 7.1.3. The severity of the threat is understood when seeing that 107,933 live websites use Laravel. It is also said to be the most popular web app category in the United Kingdom. This demonstrates the scale of potentially affected users, and why action needs to be taken quickly to avoid security flaws. 

A graph depicting the rise in Laravel Usage Statistics. The statistics range from the years 2013-2019.
Laravel Usage Statistics: https://trends.builtwith.com/framework/Laravel

The vulnerability is related to the __destruct method of the PendingCommand class in PendingCommand.php. It is a deserialization RCE (Remote Code Execution) vulnerability originating from a laravel core package and has shown to be triggered as long as the deserialized content is controllable. The access vector was through the network.

So what is the threat? In regards to CWE-502, when developers place restrictions on ‘gadget chains’ and method invocations that can self-execute during the deserialization process, this can allow attackers to leverage them to make unauthorized actions. For example, generating a shell. Manipulation with an unknown input leads to a privilege escalation vulnerability (code execution). Therefore, this vulnerability could have a negative impact on confidentiality, integrity and availability. Even worse, an attack can be initiated remotely with no form of authentication needed for exploitation. 

It is suggested to upgrade the laravel framework to version 5.7.27 or higher as soon as possible. So don’t waste any time! Or risk being vulnerable to potential cyber attacks!

CVE-2019-14933

Vulnerability Score: High — 8.8 (CVSS v3.0)

Platform: PHP

Component: bagisto

Affected versions: 0.1.5

Bagisto is a tailored e-commerce framework designed on some of the hottest open-source technologies such as Laravel, a PHP framework.  It cuts down on the resources needed to deploy an e-commerce platform (i.e. building online stores or migrating from physical stores). 

Alas, we regret to be the bearer of bad news. Version 0.1.5 of Bagisto has been found to contain a cross-site request forgery (CSRF) vulnerability which could result in client side manipulation that forces end users to execute unwarranted commands on a web application for which they are currently authenticated.  It should be noted that this compromised version allows for CSRF attacks under certain conditions, such as admin Uniform Resource Identifiers (URIs).  This CSRF vulnerability manipulates authenticated users’ browsers to send forged HTTP requests, including cookie sessions to exposed web applications. 

Here is some background information on the nature of CSRF attacks. Unlike remote code execution or command injection attacks, CSRF attacks specifically target state-changing requests as opposed to misappropriation of restricted data. Nonetheless, unauthorised state-changing requests can be equally bad; with the help of social engineering tactics (i.e. sending unwarranted links via email or chat support), attackers may trick end users into executing unsanctioned commands of the attackers’ choice. A successful CSRF attack could lead to vexing situations whereby attackers coerce end users into performing fund transfers, email address changes, and so forth. Furthermore, CSRF attacks can go as far as compromising entire web application systems upon gaining access to an administrator account.

In this context, hackers can trick end users by sending requests (i.e phishing emails) to lure them to open and display some apparently innocuous content in a new tab on the browser, which in turn, prompts it to execute the hidden malicious script, than can operate on behalf of the user.

This is a graphic illustrating the play-by-plat on how attackers can exploit the vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform.
How attackers can exploit Bagisto open-source vulnerability

 The graphic above illustrates the play-by-play on how attackers can exploit this vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform. 

In Step 1, the user first logs into the Bagisto admin page panel and subsequently  accesses a seemingly innocuous website on another tab in the user’s browser. This website contains a malignant script (placed by the hacker), and the action of accessing this tab will lead to Step 3 where the script will be executed; the browser is instructed by said script to perform any possible harmful action on behalf of the user in Step 3. This course of user action culminates in Step 4 with the server executing the requested malicious actions, such as deleting data on the admin panel.

Nonetheless, affected users will be glad to know that all versions of Bagisto following v0.1.5 are untouched by this CSRF vulnerability. So, there you have it – update your application to the latest version of the Bagisto framework at the soonest to avoid further exposure!

Spread the word on these vulnerabilities and their fixes to help us improve application security all-around. In any case, you can certainly expect more engaging reads on PHP in the near future. Until then!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: PHP

Vulnerability Focus: Command Injection

5min read

Image of thief climbing out of laptop shining flashlight on ruby, java icons with a syringe, titled Vulnerability Focus: Command Injection

At attention, app sec community! It has been an exciting past couple of weeks, and we have got some juicy vulnerabilities to dish on. From Apache commons to the extensively-used Nokogiri library,  we will shed light on two compelling command injection vulnerabilities that rank highly on the common vulnerability scoring system (CVSS). Read along and spread the word to help combat against open source vulnerabilities.

  • CVE-2019-10086 The SuppressPropertiesBeanIntrospector class in versions before 1.9.4 of BeanUtils in Apache commons was not enabled by default

  • CVE-2019-5477 An inherent flaw in the Ruby Rexical gem v.1.0.6 or earlier, due to improper neutralization of special elements, resulted in a command injection vulnerability in the Nokogiri gem

CVE-2019-10086

Vulnerability Score: High — 7.3 (CVSS v3.0)

Platform: Java

Component: commons-beanutils

Affected versions: 1.9.3 and earlier

Take heed, all you Java programmers: a vulnerability has been located within Apache commons,  a provider of reusable open source Java component. There lies an arbitrary code vulnerability in the BeanUtils component, a set of utilities used for manipulation of JavaBeans code.

Within the BeanUtils component, there are several class types, or PropertyUtils beans, that  support mechanisms for dynamically defining and accessing bean properties (i.e. Bean Introspection) – these sets of utilities that assist in getting and setting property values on Java classes utilise the BeanIntrospector interface for components that can perform introspection on bean classes. 

Class TypeDescription
DefaultBeanIntrospectorThe default BeanIntrospector implementation

FluentPropertyBeanIntrospector
An implementation which detects write methods for properties used in fluent API scenario
SuppressPropertiesBeanIntrospector**A specialized BeanIntrospector implementation which suppresses some properties.

Example of class types and their functions
** highlights affected component in this CVE incident

In the context of this security flaw, the vulnerability originates from the SuppressPropertiesBeanIntrospector class type. This BeanIntrospector class type  is a standard implementation within a BeanUtils component which suppresses the ability for malicious attackers  to circumvent class properties of Java objects to gain access to the classloader. However, this safeguard mechanism against third-party exploitations of Java objects, was not enabled by default for version 1.9.2 – 1.9.3 of BeanUtils. 

This thereby allows attackers to manipulate classloaders and remotely execute arbitrary commands via class parameter, which would be detrimental to application security. Cyber attackers could potentially take advantage of this command injection loophole to inject malignant code into an application system through cross-site scripting (XSS), cross-site request forgery (XSRF), or drive-by attacks – this would then result in security breaches and a whole slew of inconvenience for organizations using  compromised versions of this BeanUtils component.

Affected users would be relieved to know that the fix for this vulnerability, version 1.9.4 of BeanUtils, has since been published. The security patch for apache-commons-beanutils has fixed the security flaw by adding a special BeanIntrospector class; this class type comprehensively suppresses the ability for any third party to access the classloader through the outmanoeuvring of class properties available on all Java objects – we can declare with utmost confidence that the updated BeanUtils bean prohibits all class level property access by default.

At the risk of sounding like a broken record, application systems that are using versions before 1.9.4 of the BeanUtils component ought to migrate to the latest version at the soonest. Don’t say you haven’t been warned!

CVE-2019-5477

Vulnerability Score: Critical — 9.8 (CVSS v3.0)

Platform: Ruby

Components: Rexical, Nokogiri

Affected versions: Rexical: 1.0.6 and earlier, Nokogiri: 1.10.3 and earlier

Mayday. I repeat, Mayday. Ruby users – watch out! A critical open-source security flaw has been located in Nokogiri, an open-source software library used to parse HTML and XML in Ruby. To provide some contextual information about its popularity, Nokogiri is indisputably one of the most downloaded Ruby gems – it has been downloaded over 240 million times from the rubygems.org. This translates into a potentially vast network of compromised users – it would be prudent for affected parties to understand the type of security flaw they are dealing with.

In versions Nokogiri 1.10.3 or earlier, a command injection vulnerability allows attackers to alter dynamically generated content on a web page by inserting HTML code into input mechanisms that lack effective validation constraints. These commands are then executed in a subprocess via the kernel#open method, which renders an application vulnerable to remote code execution due to improper neutralization of special elements used in a command injection.

This is due to the core functionality of the kernel#open method. When instructed with a file path (defaulting with ‘r’) , it treats the script as the name of a file to open using the specified mode; but when the file path starts with a pipe character ‘I’, it interprets it as a shell command and returns an IO class linked to the subprocess.  In the context of this Nokogiri security flaw, these subprocesses are only exposed if the (undocumented) kernel#open method “Nokogiri::CSS:: Tokenizer#load_file” is executed with unvalidated user input in its filename.

This particular vulnerability exposure appears in the codework generated by Rexical gem versions 1.0.6 or earlier. The Rexical gem facilitates the Nokogiri library in generating a lexical scanner code that is used to parse CSS queries. In any case, the app sec community would be reassured to know that  a patch which addresses this key vulnerability has been released as Rexical v1.0.7. And on an equally heartening note, Nokogiri has also performed an upgrade (i.e. Nokogiri v.1.10.4) to implement the latest patch for the Rexical gem in their library.

Now that you are all caught up on these CVEs, we hope this little piece of enlightenment would have made you more aware of the rampantness of open source vulnerabilities!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Command Injection

Vulnerability Focus: Remote Code Execution (RCE) Attacks

This week’s edition is all about remote code execution attacks. We have a cross-site scripting (XSS) vulnerability in the ever popular http-file-server which could lead to the execution of arbitrary JavaScript code in an unsuspecting victim’s browser.  On the other hand, we have a RubyGem exposure whose sheer magnitude led to the discovery of a potential cryptocurrency mining scheme. 

  • CVE-2019-15224 A code-execution backdoor in rest-client version 1.6.13 could lead to privilege escalation attacks
  • CVE-2019-5458 A cross-site scripting (XSS) vulnerability in all versions of http-file-server, a third-party Node.JS module

CVE-2019-15224

Vulnerability Score: TBD  (CVSS v3.0)

Platform: Ruby

Component: rest-client

Affected versions: v1.6.10 through v1.6.13

A malicious code-execution backdoor has just been located in version 1.6.13 of rest-client – a popular HTTP and REST (REpresentational State Transfer) client software package for Ruby. In essence, REST is an architectural style that standardizes modes of communication among different computer systems on the web. To delve a bit deeper, RESTful systems are stateless, and they separate concerns from client-side and server-side – the Ruby rest-client oversees requests sent to the server in order to retrieve or modify data stored on the server. 

In this compromised  version, the injected code within the gem would fetch malicious code from pastebin.com and send it to the attacker’s server to retrieve sensitive information from the client’s host machine. Kudos to Jussi Kuljonen for catching this vulnerability and promptly notifying the GitHub community on 19 August 2019.  Aside from that, he also pointed out that rest-client version 1.6.10 leading up to version 1.6.13, which have since been yanked, were also compromised. 

This is an image of how a hacker exploits the Ruby gem rest-client library with remote code execution, in a web application.
Remote Code Execution Exploit of Ruby Gem rest-client library

This is dangerous territory for users of said gem, as third-party attackers could exploit this vulnerability to perform remote code execution for personal gains. This could be in the form of privilege escalation attacks, whereby attackers could execute malicious code on the host’s server to access credentials of services used by a hosting site (i.e. database, payment service provider).

It should be noted this 1.6.13  version is considerably dated, as the latest rest-client version is 2.1.0.rc1. This raised suspicions among the DevOps community that this incident might have been a targeted attack.

This discovery then instigated a wider instigation which revealed that the same code was found in almost a dozen other gems: bitcoin_vanity, blockchain_wallet, omniauth_amazon, cron_parser, coin_base,  lita_coin, awesome-bot, doge-coin, and capistrano-colors. It has been established that the attacker(s) wanted to exploit the infected hosts to covertly mine cryptocurrency. 

In terms of scope of impact, the rest-client  version 1.6.13, which sparked the uncovering of this malicious plot, has had 1061 downloads. On the other hand, the total download count for all the compromised gems is a little over 3500. Regardless, the chaos ceases here as all affected gems have been removed by the RubyGems team – the compromised accounts of developers have also been locked for good measure.

As for the availability of a fix, version 1.6.14 (identical to the unaffected  v1.6.9) has been released to replace all compromised versions in the legacy 1.6.x series. To check your apps’ depencies, versions <= 1.6.9 or >= 1.6.14 are unaffected. If your version of the rest-client gems falls in between, you are advised to download the patch immediately. Don’t say you haven’t been warned!

CVE-2019-5457, CVE-2019-5458

Vulnerability Score: Medium — 5.4  (CVSS v3.0)

Platform: Node.JS 

Components: http-file-server, min-http-server

Affected versions: All versions

Look alive, all you http-file-server and min-http-server users! A cross-site scripting (XSS) vulnerability has been found in these third-party Node.JS modules. The HTTP File Server (HFS) is a web server used for the publishing and sharing of files. 

By definition, XSS is a type of cybersecurity vulnerability that enables attackers to inject client-side scripts into web pages viewed by unsuspecting users. Implications of XSS vary in range (i.e. petty nuisance to  critical security risk), depending on the nature of the data stored on the vulnerable site’s server and the strength of the security mitigation measures adopted by the site’s network.

In this instance, this cross-site scripting (XSS) vulnerability is the attack vector – it enables hackers with access to the server-file system to inject malicious Javascript-based scripts in the file name, so that these scripts will be automatically executed on the victim’s browser when files are listed. In technical jargon, this is known as improper neutralization of input during web page generation. The occurrence of this XSS vulnerability is due to the unsanitized  and invalid HTML input in the module filenames – it allows any injected and stored scripts within the server to be executed in the client’s browser.

The http-file-server has unfortunately been declared dead, and no known fixes have been made available to HFS users. The good news is that the project has been yanked to prevent further exploits such as hijacking of user sessions or phishing to steal user credentials. Credits to An Nguyen for disclosing these easily exploitable vulnerabilities to the DevSecOps community!

To end things, we will leave you with some helpful tips on cross-site scripting prevention methods. One should check that user input has been sanitized and that potentially executable characters have been properly encoded to avoid having them interpreted as executable code. It is also worth validating input as it stops users from adding special characters into webpage data entry fields by refusing the request – this mitigates the impact should an attacker discover such an XSS vulnerability.  We suggest you bookmark this useful resource: Cross Site Scripting Prevention Cheat Sheet, too!  

Found this useful? Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Remote Code Execution (RCE) Attacks