Safety Vulnerabilities | Safety Digest

0
178


On this week’s digest, we’ll talk about:

  • lacking correct state, nonce, and PKCE checks for OAuth authentication;
  • Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting; 
  • ShadowsocksX-NG indicators with com.apple.safety.get-task-allow entitlements due to CODE_SIGNING_INJECT_BASE_ENTITLEMENTS; and
  • an entry management subject in runc that permits an attacker to escalate privileges inside a container.
CVE-2023-27490: Lacking correct state, nonce, and PKCE checks for OAuth authentication

Background

OAuth (Open Authorization) is an open normal protocol that permits third-party functions to entry sources on behalf of a person while not having to know the person’s credentials, corresponding to a username and password. OAuth works by enabling the person to grant entry to their sources by authenticating themselves with the useful resource proprietor (e.g. a social media platform) and acquiring an entry token, which is then used to entry the sources on behalf of the person. This entry token is issued by the useful resource proprietor and can be utilized by the third-party software to entry the person’s sources while not having to know the person’s login credentials.

Vulnerability

The vulnerability CVE-2023-27490, exists within the Subsequent-auth bundle, which is expounded to the OAuth authentication circulation. Particularly, it happens throughout an OAuth session when the authorization URL is intercepted and manipulated by an attacker. This vulnerability can permit the attacker to log in because the sufferer and bypass the CSRF safety that’s usually in place. Within the OAuth circulation, the authorization URL is used to provoke the authentication course of and request entry to the person’s sources. The URL incorporates vital parameters, such because the state, pkce, and nonce, that are used to forestall assaults corresponding to CSRF, replay assaults, and token theft. Nonetheless, if the authorization URL is intercepted and manipulated by an attacker, these protections could be bypassed, resulting in the vulnerability described within the Subsequent-auth bundle.

The foundation reason for the vulnerability is a partial failure that happens throughout a compromised OAuth session. Particularly, a session code is erroneously generated, which permits the attacker to bypass the CSRF safety and log in because the sufferer.

Mitigation

  • The vulnerability has been addressed in next-auth model v4.20.1, upgrading to the newest model is the beneficial method to repair this subject.
  • Nonetheless, by utilizing Superior Initialization, builders can manually test the callback request for state, pkce, and nonce towards the supplier configuration, and abort the sign-in course of if there’s a mismatch
CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting

Background

HTTP Request Smuggling is an internet software vulnerability that happens when an attacker can manipulate the best way that an software or an internet server processes HTTP requests despatched by a shopper. This vulnerability can permit an attacker to bypass safety controls, carry out unauthorized actions, or steal delicate knowledge.

The assault usually includes exploiting inconsistencies in how a front-end net server and a back-end server or software deal with HTTP requests, such because the interpretation of Content material-Size headers or dealing with of chunked encoding. By manipulating these inconsistencies, an attacker can craft a request that’s interpreted in another way by the 2 servers, leading to both the request being processed improperly or the front-end server performing as a proxy for the attacker to execute malicious requests on behalf of the attacker.

Vulnerability

The vulnerability CVE-2023-27522 impacts Apache HTTP Server variations 2.4.30 via 2.4.55, particularly through the mod_proxy_uwsgi module. The vulnerability happens when the origin server sends a specifically crafted HTTP response header that incorporates sure particular characters, corresponding to areas or tabs, adopted by a “Content material-Size” header.

The mod_proxy_uwsgi module in Apache HTTP Server can misread this header and ahead the response to the shopper with a truncated or cut up “Content material-Size” header. This will trigger the shopper to obtain incomplete or incorrect responses, doubtlessly permitting an attacker to carry out numerous varieties of assaults, corresponding to knowledge leakage, server-side request forgery (SSRF), cross-site scripting (XSS), and distant code execution (RCE).

Mitigation

  • It’s endorsed to improve to the newest model of Apache HTTP Server or apply any accessible patches. 
  • Moreover, net software firewalls and intrusion detection techniques can be utilized to detect and stop HTTP response smuggling assaults. 
  • It’s also vital to make sure that correct enter validation and output encoding methods are used to forestall the injection of particular characters in HTTP responses.
CVE-2023-27574: ShadowsocksX-NG indicators with com.apple.safety.get-task-allow 

Background

ShadowsocksX-NG is a free and open supply software that helps customers bypass web censorship by making a safe socks5 proxy via which they will entry the web.

When an software is developed and prepared for distribution, it must be signed with a sound certificates to make sure that it’s legit and hasn’t been tampered with. This course of is known as code signing.

One of many necessities for code signing is to incorporate entitlements, that are permissions that an software must operate appropriately. Entitlements specify what sources and actions the appliance is allowed to entry, such because the community, file system, or {hardware}.

Vulnerability

The vulnerability CVE-2023-27574 exists within the ShadowsocksX-NG model 1.10.0 software which is signed with an entitlement referred to as com.apple.safety.get-task-allow. This entitlement permits the appliance to be debugged and inspected by improvement instruments, corresponding to Xcode, even when it’s working on a person’s machine.

The rationale for together with this entitlement is because of a characteristic referred to as CODE_SIGNING_INJECT_BASE_ENTITLEMENTS. This characteristic is a part of the code signing course of, and it permits builders to incorporate extra entitlements past these explicitly specified within the software’s entitlements file.In different phrases, when the CODE_SIGNING_INJECT_BASE_ENTITLEMENTS characteristic is enabled, Xcode will routinely inject a set of default entitlements into the appliance’s signature. These entitlements are primarily based on the developer’s account and the undertaking setting. They embrace the com.apple.safety.get-task-allow entitlement by default.

The issue with this strategy is that the com.apple.safety.get-task-allow entitlement could be abused by attackers to acquire delicate data from the appliance’s reminiscence, corresponding to encryption keys or different delicate knowledge. This could possibly be achieved by exploiting a vulnerability within the software or by utilizing a third-party instrument to learn the appliance’s reminiscence.

Mitigation

  • Customers of ShadowsocksX-NG model 1.10.0 are suggested to improve to a later model that doesn’t embrace the com.apple.safety.get-task-allow entitlements or to take away the entitlements manually from the appliance’s code signing signature.
  • Moreover, customers must be cautious when utilizing VPN/proxy softwares and make sure that they’re utilizing a trusted and safe model of the software program.
CVE-2019-5736: Entry management subject in runc

Background

runc is a command-line utility for spawning and working containers in keeping with the Open Container Initiative (OCI) specs. It’s generally utilized in container runtime environments corresponding to Docker, Kubernetes, and others.

Vulnerability

This vulnerability CVE-2019-5736 is an entry management subject that permits an attacker to escalate privileges inside a container. Particularly, the problem is expounded to the best way the runc model via 1.1.4 handles the foundation file system (rootfs) when launching a container.

In libcontainer/rootfs_linux.go, runc units up the rootfs of a container by mounting it as read-only after which overlaying a writable layer on prime of it. This course of is used to create the container’s file system and isolate it from the host system.

Nonetheless, a flaw on this code permits an attacker to overwrite the host system’s /proc/self/exe file, which is a symbolic hyperlink to the runc binary itself. By doing so, the attacker can execute arbitrary code with elevated privileges, successfully escaping the container and gaining management of the host system.

Mitigation

  • Improve to a patched model: Upgrading to a patched model of runc is the simplest mitigation for this vulnerability. runc variations 1.0.0-rc6 and later embrace a repair for this vulnerability.
  • Improve container runtimes: In case you are utilizing a container runtime atmosphere corresponding to Docker or Kubernetes, ensure that to improve to a model that features the patched runc model.
  • Implement entry controls: To mitigate the danger of this vulnerability, entry controls must be applied to restrict the flexibility of attackers to spawn containers with customized volume-mount configurations and run customized photographs. 
  • Decrease container privileges: Minimizing the privileges of containers will help to restrict the scope of a possible assault. This may be achieved by working containers as non-root customers, proscribing container capabilities, and limiting entry to delicate host sources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here