The JsonWebToken library has a serious flaw, It can lead to remote code execution (RCE). With ubiquitous use, this can be a big problem.
yes this is another example The risk of an uncontrolled software supply chain. This npm library depends on countless apps and services (probably yours).
bug fixed, After the vulnerability has been responsibly disclosed.in this week Secure Software BlogWatch, worry about people who don’t update.
Your humble blog watchers have curated these blog bits for your entertainment. not to mention: Who is the MCU.
JWT type confusion
what is craic? Bill Toulas reports — “Auth0 fixes RCE flaw in JsonWebToken library used by 22,000 projects”:
“Large Supply Chain Impact”
Auth0 fixed a remote code execution vulnerability in the hugely popular ‘JsonWebToken’ open source library used by over 22,000 projects…over 36 million monthly downloads on NPM [and] Used by open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP, and more. This vulnerability is tracked as CVE-2022-23529.
…
The JsonWebToken project is an open-source library used to create, sign, and validate JSON Web Tokens. [It] is developed and maintained by Okta Auth0, with over 9 million downloads per week in the NPM package repository and over 22,000 projects in the library, reflecting its massive adoption.
…
This vulnerability is classified as High Severity. … Since JsonWebToken is a very widely used open source library, this flaw will have a high impact on the supply chain and will remain vulnerable for a long time until most projects upgrade.
and swim away From Nathan Eddy currents — “A security bug in JsonWebToken can lead your server to an RCE. “:
“Find vulnerable components”
This bug provides a way for cyber attackers to control the key retrieval parameter (known as secretOrPublicKey) of the ‘jwt.verify’ function, rather than bypass the authentication or authorization mechanism. …this issue poses a threat to anyone using previous versions of her JWT, including v8.5.1. The patch version of the package is v9.0.0.
…
As the use of open source software (OSS) continues to expand, so too does cyber attackers’ interest in using software components and packages like JWTs as an attack vector. …a growing number of tools are emerging to help defense, identity, access management, and security operations center teams find vulnerable components.
horse mouth? Artur Oleyarsh — “Disclosed a new JWT secret poisoning vulnerability”:
“Commonly used as the backbone for many services”
JWTs are used to send many kinds of information, but primarily to deliver “claims”, information about a subject. … the most common use case for JWT is authorization and authentication.
…
The authorization server validates the information sent in the request and issues a JWT signed with its private key. [The] The server validates the information sent in the request and issues a JWT signed with its private key. … before the user receives access to the requested resource, the JWT … is validated using the private key. [But] An attacker with control over the private key can execute code on the host that validates the JWT.
…
A poisoned private key can lead to an RCE. In practice, keeping and maintaining private keys requires best practices such as using secret managers, private key rotation, encryption, etc. I suggested his CVSS score of 7.6 CVSS: 3.1/AV because of the complexity of this vulnerability. N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L.
…
Open source projects are commonly used today as the backbone of many services and platforms. … security awareness is very important when using open source software. A review of commonly used security open source implementations is necessary to maintain their credibility and is open to the open source community.
Are you sure you’re not using that library? it’s here Hayo S:
Consider transitive dependencies. You should also check any npm packages that use this as a dependency.
Déjà vu? Theta Classify and classify:
This is another vulnerability in the pile of object deserialization vulnerabilities.
Why? Julian Wall Therefore, I would advise:
If a malicious actor can modify the key retrieval parameter (see secretOrPublicKey argument) of the jwt.verify() function, it could lead to remote code execution. …will only be affected if you allow untrusted entities to modify the key retrieval parameters…on a host you control.
wait. pause. How could that happen? u/castleinthesky86 Mocking in a slightly profane style:
Two cents: If an attacker compromises your secret delivery process, you’re already ****ed. That’s my technical analysis.
But the reality is a little more subtle. As kene I will explain:
Attackers may chain multiple exploits together. As such, an attacker can take advantage of this vulnerability if another exploit penetrates the system.
This vulnerability allows an attacker, for example, to impersonate the user “Hans Mueller” and gain access to a database outside the compromised system.
JWT? Jason? ELI45, please. Paul Ducklin Explain to your CTO:
JWT stands for JSON Web Token. … JSON itself stands for JavaScript Object Notation.
JSON is the modern way to represent structured data. Its format is a bit like XML, but without all the opening and closing angle brackets that hinder readability. …whether JSON is really more readable than XML is an open question, but the big idea of JSON is that the data can be used as a valid JavaScript source without directly or indirectly containing any executable code. It’s encoded, which means it can be parsed and parsed. Use your existing JavaScript engine for processing.
…
One common use of JSON is the JWT system. … JWT is an encoded blob of data used by many cloud servers as a service access token. … a blob of base64-encoded (actually URL64-encoded) data containing three fields: ; What type of access the JWT allows and for how long. A keyed cryptographic hash of the first two fields using a private key known only to the service provider.
in the meantime, u/OuiOuiKiwi A brief summary of the problem of insecure supply chains.
Allowing untrusted entities to modify your code creates even bigger problems.
And finally:
If Marvel made a Doctor Who movie
Hat Tips: ambeglis
Previously And finally
you are reading secure software blogwatch By Rich Jennings. Richi has handpicked the best blog posts, the best forums, and the weirdest websites.Hate mail may be sent to @RiCHi Also [email protected]Please consult your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare at the laser with the rest of your eye. E&OE.30.
Image source: JJ Inn (via Remove Splash. leveling and trimming)
*** This is a Security Bloggers Network syndicated blog from the ReversingLabs blog created by Richi Jennings. Read the original post: https://www.reversinglabs.com/blog/jsonwebtoken-flaw-highlights-supply-chain-risks