Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Critical Bug Reported in NPM Package With Millions of Downloads Weekly

September 13, 2021
NPM Package

A extensively used NPM package deal referred to as ‘Pac-Resolver‘ for the JavaScript programming language has been remediated with a repair for a high-severity distant code execution vulnerability that may very well be abused to run malicious code inside Node.js functions every time HTTP requests are despatched.

The flaw, tracked as CVE-2021-23406, has a severity score of 8.1 on the CVSS vulnerability scoring system and impacts Pac-Resolver variations earlier than 5.0.0.

A Proxy Auto-Configuration (PAC) file is a JavaScript perform that determines whether or not net browser requests needs to be routed on to the vacation spot or forwarded to an internet proxy server for a given hostname. PAC recordsdata are how proxy guidelines are distributed in enterprise environments.

“This package deal is used for PAC file assist in Pac-Proxy-Agent, which is utilized in flip in Proxy-Agent, which then used in all places as the usual go-to package deal for HTTP proxy auto-detection and configuration in Node.js,” Tim Perry said in a write-up revealed late final month. “It is very fashionable: Proxy-Agent is used in all places from AWS’s CDK toolkit to the Mailgun SDK to the Firebase CLI.”

CVE-2021-23406 has to do with how Pac-Proxy-Agent does not sandbox PAC recordsdata accurately, leading to a state of affairs the place an untrusted PAC file may be abused to interrupt out of the sandbox solely and run arbitrary code on the underlying working system. This, nevertheless, necessitates that the attacker both resides on the native community, has the aptitude to tamper with the contents of the PAC file, or chains it with a second vulnerability to change the proxy configuration.

“This can be a well-known assault in opposition to the VM module, and it really works as a result of Node does not isolate the context of the ‘sandbox’ absolutely, as a result of it is probably not attempting to supply critical isolation,” Perry mentioned. “The repair is easy: use an actual sandbox as a substitute of the VM built-in module.”

Crimson Hat, in an impartial advisory, said the susceptible package deal is shipped with its Superior Cluster Administration for Kubernetes product, however famous it is “presently not conscious of the vector to set off the vulnerability within the affected element, moreover the affected element is protected by consumer authentication decreasing the potential affect of this vulnerability.”

Posted in SecurityTags:
Write a comment