This week’s digest covers:
- Lack of proper state, nonce and PKCE checks for OAuth authentication.
- Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting.
- ShadowsocksX-NG signs with com.apple.security.get-task-allow entitlement with CODE_SIGNING_INJECT_BASE_ENTITLEMENTS.and
- Access control issues rank This allows an attacker to elevate privileges within the container.
CVE-2023-27490: Missing proper state, nonce and PKCE checks for OAuth authentication
Background
OAuth (Open Authorization) is an open standard protocol that allows third-party applications to access resources on behalf of a user without knowing the user’s credentials such as username and password. OAuth allows users to authorize access to resources by authenticating themselves with resource owners (such as social media platforms) and obtaining access tokens that are used to access resources on their behalf. It works by setting This access token is issued by the resource owner and can be used by third-party applications to access the user’s resource without knowing the user’s login credentials.
Vulnerability
Vulnerability CVE-2023-27490exists in the Next-auth package related to the OAuth authentication flow. Specifically, it occurs when the authorization URL is intercepted during an OAuth session and manipulated by an attacker. This vulnerability allows an attacker to log in as the victim and bypass her CSRF protections that are normally in place. OAuth flows use an authorization URL to initiate the authorization process and request access to a user’s resources. The URL contains important parameters such as: state, pkceand NonceUsed to prevent attacks such as CSRF, replay attacks, and token theft. However, if the authorization URL is intercepted and manipulated by an attacker, these protections can be bypassed, leading to the vulnerabilities described in the Next-auth package.
The root cause of the vulnerability is a partial failure that occurs during a compromised OAuth session. Specifically, the session code is generated incorrectly, allowing the attacker to bypass her CSRF protection and log in as the victim.
relief
- This vulnerability is addressed in next-auth version v4.20.1. To fix this issue, we recommend upgrading to the latest version.
- However, by using advanced initialization, developers can manually check the state, pkce, and nonce callback requests against the provider configuration and abort the sign-in process if there is a mismatch.
CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
Background
HTTP request smuggling is a web application vulnerability that occurs when an attacker can manipulate how an application or web server processes HTTP requests sent by a client. This vulnerability could allow an attacker to bypass security controls, perform unauthorized actions, or steal sensitive data.
This attack typically involves exploiting inconsistencies in how front-end web servers and back-end servers or applications handle HTTP requests, such as interpreting Content-Length headers and handling chunked encoding. By manipulating these discrepancies, an attacker can craft requests that are interpreted differently by the two servers. As a result, either the request is handled improperly, or the front-end server acts as a proxy for the attacker and executes malicious requests on the attacker’s behalf. .
Vulnerability
Vulnerability CVE-2023-27522 Affects Apache HTTP Server version 2.4.30 to 2.4.55, specifically through the mod_proxy_uwsgi module. The vulnerability is caused when an origin server sends a specially crafted HTTP response header containing certain special characters such as spaces or tabs, followed by a “Content-Length” header.
The Apache HTTP Server’s mod_proxy_uwsgi module may misinterpret this header and forward the response to the client with a truncated or split “Content-Length” header. This could allow the client to receive an incomplete or incorrect response, allowing an attacker to perform data disclosure, server-side request forgery (SSRF), cross-site scripting (XSS), and remote code execution (RCE).
relief
- We recommend upgrading to the latest version of Apache HTTP Server or applying any available patches.
- In addition, web application firewalls and intrusion detection systems can be used to detect and prevent HTTP response smuggling attacks.
- It’s also important to ensure that proper input validation and output encoding techniques are used to prevent the injection of special characters in HTTP responses.
CVE-2023-27574: ShadowsocksX-NG signs with com.apple.security.get-task-allow
Background
ShadowsocksX-NG is a free open source application that helps users bypass internet censorship by creating a secure socks5 proxy that allows them to access the internet.
Once an application has been developed and is ready for distribution, it must be signed with a valid certificate to ensure it is legitimate and has not been tampered with. This process is called code signing.
One of the requirements for code signing is the inclusion of entitlements. This is a required permission for the application to function properly. Entitlements specify the resources and actions an application can access, such as networks, file systems, and hardware.
Vulnerability
Vulnerability CVE-2023-27574 Present in ShadowsocksX-NG version 1.10.0 Applications signed with the right to com.apple.security.get task permissionThis entitlement allows you to debug and inspect your application in development tools such as Xcode, even when the application is running on the user’s device.
The reason for including this entitlement is due to a feature called CODE_SIGNING_INJECT_BASE_ENTITLEMENTSThis feature is part of the code signing process and allows developers to include additional entitlements beyond those explicitly specified in their application’s entitlements file. in short, CODE_SIGNING_INJECT_BASE_ENTITLEMENTS When the feature is enabled, Xcode automatically inserts a set of default entitlements into your application’s signature. These entitlements are based on the developer’s account and project settings. It includes the com.apple.security.get-task-allow entitlement by default.
The problem with this approach is com.apple.security.get task permission An attacker can abuse credentials to obtain sensitive information (such as encryption keys or other sensitive data) from your application’s memory. This can be done by exploiting application vulnerabilities or by using third-party tools to read application memory.
relief
- Users of ShadowsocksX-NG version 1.10.0 are advised to upgrade to a newer version that does not include the com.apple.security.get-task-allow entitlement, or manually remove the entitlement from the application’s code signing signature. increase.
- Additionally, users should be careful when using VPN/proxy software and make sure they are using a trusted and secure version of the software.
CVE-2019-5736: access control issue in runc
Background
rank A command-line utility for spawning and running containers according to the Open Container Initiative (OCI) specification. Commonly used in container runtime environments such as Docker and Kubernetes.
Vulnerability
This vulnerability CVE-2019-5736 It’s an access control issue that allows an attacker to escalate privileges within the container. Specifically, the issue is related to the way runc versions up to 1.1.4 handle the root file system (rootfs) when starting the container.
of libcontainer/rootfs_linux.go, rank set the rootfs Configure the container by mounting it read-only and overlaying a writable layer on top of it. This process is used to create the container’s file system and isolate it from the host system.
However, this code flaw allows an attacker to /proc/self/exe A symbolic link to a file. rank the binary itself. By doing so, an attacker can execute arbitrary code with elevated privileges, effectively escaping the container and gaining control of the host system.
relief
- Upgrading to a patched version: Upgrading to a patched version of runc is the most effective mitigation for this vulnerability. runc versions 1.0.0-rc6 and later contain a fix for this vulnerability.
- Upgrade your container runtime: If you’re using a container runtime environment such as Docker or Kubernetes, upgrade to a version that includes a patched version. rank version.
- Implement access controls: To mitigate the risk of this vulnerability, access controls should be implemented to limit an attacker’s ability to spawn containers with custom volume mount configurations and run custom images.
- Minimize container privileges: Minimizing container privileges helps limit the surface area of potential attacks. This can be achieved by running the container as a non-root user, limiting container functionality, and restricting access to critical host resources.