BnoordhuisH1:1625036Node.js: Insecure loading of ICU data through ICU_DATA environment variable
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
1.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
MULTIPLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:M/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
12.2%
Node.js correctly ignores the NODE_ICU_DATA environment variable when it is running with elevated privileges (e.g. setuid root).
ICU on the other hand still honors the ICU_DATA environment variable, without regard for privilege level.
Impact
ICU is not very resilient to crafted data files but since users can select custom data files anyway with the --icu-data-dir flag, the real-world impact is probably not much worse than what is already possible through documented means…
…which doesn’t mean it shouldn’t be fixed because scenarios where it is in fact exploitable are imaginable, just not very likely.
Suggestions:
- build ICU with ICU_NO_USER_DATA_OVERRIDE defined
- sanitize the environment before initializing ICU
Related
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
1.3 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
MULTIPLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:M/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
12.2%