On this week’s digest, we are going to talk about:
- Linode Terraform (TF) Supplier Deterministic Password Creation
- Apache Commons Textual content Distant Code Execution (RCE)
- Vm2 sandbox escape to RCE
Linode Terraform Supplier Creates a Non-seeded deterministic Password
A safety vulnerability was found within the Linode Terraform Supplier, a plugin designed for automating provisioning Linode situations utilizing Terraform. Terraform is an IaC device that focuses on creating, modifying, and destroying servers as an alternative of managing the software program on these servers.
The vulnerability impacts Linodes created with the Terraform plugin model v1.29.3. Within the Terraform supplier, when a Linode is created with out offering a root password, the TF supplier makes use of a randomly generated password. The affected plugin model appears to generate deterministic passwords attributable to a change in our password era performance. The weak element concerned the utilization of the maths/rand Go package deal as an alternative of the crypto/rand for random password manufacturing. Moreover, the maths/rand package deal was not being seeded.
To guard your future deployments, please improve the Linode Terraform Supplier device to the most recent model, presently v1.29.4. In case you are not in a position to improve instantly, you too can change the foundation password on the situations deployed by way of the affected plugin.
If you happen to want additional help, or in case you have any questions, please attain out to [email protected]
Apache Commons Textual content Distant Code Execution (RCE)
Apache Commons Textual content performs variable interpolation, permitting properties to be dynamically evaluated and expanded. The usual format for interpolation is “${prefix:title}”, the place “prefix” is used to find an occasion of org.apache.commons.textual content.lookup.StringLookup that performs the interpolation.
CVE-2022-42889 is an distant code execution that exists in Apache Commons Textual content model 1.5 by way of 1.9 the place the set of default Lookup situations (from the StringSubstitutor class) included interpolators that might lead to arbitrary code execution or contact with distant servers. The weak lookups are:
- “script” – Executes expressions utilizing the JVM script execution engine (javax.script)
- “dns” – Resolves DNS data
- “url” – Load values from URLs
Moreover, any distant server purposes utilizing interpolation defaults within the affected variations might be weak to distant code execution or unintentional contact with distant servers if untrusted configuration values are used.
The way in which to find out in case you have this library put in is to run `discover / -type f -name ‘commons-text*.jar’`, which can give us any .jar file with the prefix of commons-text.
The repair is on the market beginning with Apache Commons Textual content 1.10.0. The repair disables the dns, url, and script lookup interpolators by default. Different workarounds will also be utilized, which embrace sanitizing enter in locations the place you settle for and course of untrusted information.
Vm2 sandbox escape to RCE
vm2 is a widely-used npm package deal that acts as a sandbox the place you may run untrusted code with allowlisted Node’s built-in modules. This package deal could be very well-liked with over 16 million downloads a month, making it a worthy vulnerability to leverage in opposition to an utility with the vm2 package deal put in.
CVE-2022-36067 is a distant code execution that exists within the vm2 sandbox library the place a consumer might escape the sandbox of vm2 and get entry to the host operating the sandbox. The vulnerability presently impacts variations 3.9.10 and beneath.
This vulnerability includes utilizing the prepareStackTrace technique, which is a operate that enables builders to customise the decision stack of an error that occurred within the utility. The prepareStackTrace technique is an “error” constructor that creates an “Error” object. When an error happens and “stack” property of the thrown error object is accessed, Node.js will name this technique whereas offering it with a string illustration of the error alongside an array of “CallSite” objects as arguments.
The researchers began off by overriding the worldwide Error object with their very own object. This new object allows the attacker to make use of the prepareStackTrace operate to be able to leverage a non-sandboxed operate referred to as “getThis”, which is a operate used for returning the “this” object in a stack body. This stack body object is a non-sandboxed object that might permit an to execute features that can escape the sandbox and execute code on the host that the code is operating on.
The repair is on the market beginning with vm2 3.9.11.