In this week’s digest, we’ll discuss:
- missing proper state, nonce, and PKCE checks for OAuth authentication;
- Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting;
- ShadowsocksX-NG signs with com.apple.security.get-task-allow entitlements because of CODE_SIGNING_INJECT_BASE_ENTITLEMENTS; and
- an access control issue in runc that allows an attacker to escalate privileges within a container.
CVE-2023-27490: Missing proper state, nonce, and PKCE checks for OAuth authentication
Background
OAuth (Open Authorization) is an open standard protocol that allows third-party applications to access resources on behalf of a user without needing to know the user’s credentials, such as a username and password. OAuth works by enabling the user to grant access to their resources by authenticating themselves with the resource owner (e.g. a social media platform) and obtaining an access token, which is then used to access the resources on behalf of the user. This access token is issued by the resource owner and can be used by the third-party application to access the user’s resources without needing to know the user’s login credentials.
Vulnerability
The vulnerability CVE-2023-27490, exists in the Next-auth package, which is related to the OAuth authentication flow. Specifically, it occurs during an OAuth session when the authorization URL is intercepted and manipulated by an attacker. This vulnerability can allow the attacker to log in as the victim and bypass the CSRF protection that is normally in place. In the OAuth flow, the authorization URL is used to initiate the authentication process and request access to the user’s resources. The URL contains important parameters, such as the state, pkce, and nonce, which are used to prevent attacks such as CSRF, replay attacks, and token theft. However, if the authorization URL is intercepted and manipulated by an attacker, these protections can be bypassed, leading to the vulnerability described in the Next-auth package.
The root cause of the vulnerability is a partial failure that occurs during a compromised OAuth session. Specifically, a session code is erroneously generated, which allows the attacker to bypass the CSRF protection and log in as the victim.
Mitigation
- The vulnerability has been addressed in next-auth version v4.20.1, upgrading to the latest version is the recommended way to fix this issue.
- However, by using Advanced Initialization, developers can manually check the callback request for state, pkce, and nonce against the provider configuration, and abort the sign-in process if there is a mismatch
CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
Background
HTTP Request Smuggling is a web application vulnerability that occurs when an attacker can manipulate the way that an application or a web server processes HTTP requests sent by a client. This vulnerability can allow an attacker to bypass security controls, perform unauthorized actions, or steal sensitive data.
The attack typically involves exploiting inconsistencies in how a front-end web server and a back-end server or application handle HTTP requests, such as the interpretation of Content-Length headers or handling of chunked encoding. By manipulating these inconsistencies, an attacker can craft a request that is interpreted differently by the two servers, resulting in either the request being processed improperly or the front-end server acting as a proxy for the attacker to execute malicious requests on behalf of the attacker.
Vulnerability
The vulnerability CVE-2023-27522 affects Apache HTTP Server versions 2.4.30 through 2.4.55, specifically via the mod_proxy_uwsgi module. The vulnerability occurs when the origin server sends a specially crafted HTTP response header that contains certain special characters, such as spaces or tabs, followed by a “Content-Length” header.
The mod_proxy_uwsgi module in Apache HTTP Server can misinterpret this header and forward the response to the client with a truncated or split “Content-Length” header. This can cause the client to receive incomplete or incorrect responses, potentially allowing an attacker to perform various types of attacks, such as data leakage, server-side request forgery (SSRF), cross-site scripting (XSS), and remote code execution (RCE).
Mitigation
- It is recommended to upgrade to the latest version of Apache HTTP Server or apply any available patches.
- Additionally, web application firewalls and intrusion detection systems can be used to detect and prevent HTTP response smuggling attacks.
- It is also important to ensure that proper input validation and output encoding techniques are used to prevent the injection of special characters in HTTP responses.
CVE-2023-27574: ShadowsocksX-NG signs with com.apple.security.get-task-allow
Background
ShadowsocksX-NG is a free and open source application that helps users bypass internet censorship by creating a secure socks5 proxy through which they can access the internet.
When an application is developed and ready for distribution, it needs to be signed with a valid certificate to ensure that it is legitimate and hasn’t been tampered with. This process is called code signing.
One of the requirements for code signing is to include entitlements, which are permissions that an application needs to function correctly. Entitlements specify what resources and actions the application is allowed to access, such as the network, file system, or hardware.
Vulnerability
The vulnerability CVE-2023-27574 exists in the ShadowsocksX-NG version 1.10.0 application which is signed with an entitlement called com.apple.security.get-task-allow. This entitlement allows the application to be debugged and inspected by development tools, such as Xcode, even when it is running on a user’s device.
The reason for including this entitlement is due to a feature called CODE_SIGNING_INJECT_BASE_ENTITLEMENTS. This feature is part of the code signing process, and it allows developers to include additional entitlements beyond those explicitly specified in the application’s entitlements file.In other words, when the CODE_SIGNING_INJECT_BASE_ENTITLEMENTS feature is enabled, Xcode will automatically inject a set of default entitlements into the application’s signature. These entitlements are based on the developer’s account and the project setting. They include the com.apple.security.get-task-allow entitlement by default.
The problem with this approach is that the com.apple.security.get-task-allow entitlement can be abused by attackers to obtain sensitive information from the application’s memory, such as encryption keys or other sensitive data. This could be done by exploiting a vulnerability in the application or by using a third-party tool to read the application’s memory.
Mitigation
- Users of ShadowsocksX-NG version 1.10.0 are advised to upgrade to a later version that does not include the com.apple.security.get-task-allow entitlements or to remove the entitlements manually from the application’s code signing signature.
- Additionally, users should be cautious when using VPN/proxy softwares and ensure that they are using a trusted and secure version of the software.
CVE-2019-5736: Access control issue in runc
Background
runc is a command-line utility for spawning and running containers according to the Open Container Initiative (OCI) specifications. It is commonly used in container runtime environments such as Docker, Kubernetes, and others.
Vulnerability
This vulnerability CVE-2019-5736 is an access control issue that allows an attacker to escalate privileges within a container. Specifically, the issue is related to the way the runc version through 1.1.4 handles the root file system (rootfs) when launching a container.
In libcontainer/rootfs_linux.go, runc sets up the rootfs of a container by mounting it as read-only and then overlaying a writable layer on top of it. This process is used to create the container’s file system and isolate it from the host system.
However, a flaw in this code allows an attacker to overwrite the host system’s /proc/self/exe file, which is a symbolic link to the runc binary itself. By doing so, the attacker can execute arbitrary code with elevated privileges, effectively escaping the container and gaining control of the host system.
Mitigation
- Upgrade to a patched version: Upgrading to a patched version of runc is the most effective mitigation for this vulnerability. runc versions 1.0.0-rc6 and later include a fix for this vulnerability.
- Upgrade container runtimes: If you are using a container runtime environment such as Docker or Kubernetes, make sure to upgrade to a version that includes the patched runc version.
- Implement access controls: To mitigate the risk of this vulnerability, access controls should be implemented to limit the ability of attackers to spawn containers with custom volume-mount configurations and run custom images.
- Minimize container privileges: Minimizing the privileges of containers can help to limit the scope of a potential attack. This can be achieved by running containers as non-root users, restricting container capabilities, and limiting access to sensitive host resources.
Comments