Mhdawson_H1:1888758Internet Bug Bounty: Inadequate Encryption Strength in nodejs-current reads openssl.cnf from /home/iojs/build/... upon startup on MacOS
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.8%
Summary:
The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to affect the OpenSSF configuration of other users. I believe the iojs home directory is something configured within the Node.js build/CI pipeline, as opposed to something internal to OpenSSL.
Description:
Steps To Reproduce:
From inspection of the code, look at the path specified in: https://github.com/nodejs/node/blob/7f9cd60eef6fad245baed9896ec6376b693e089a/deps/openssl/openssl.gyp#L24
'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl',
and unlike other platforms, this is not overriden on MacOS in “/deps/openssl/openssl_common.gypi”
This is a similar problem to what was fixed for Linux in https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#attempt-to-read-openssl-cnf-from-home-iojs-build-upon-startup-medium-cve-2022-32222
Impact:
openssl.cnf file is being read as part of OpenSSL’s initialization; this is used to configure Node.js
Supporting Material/References:
This is the suggested fix (also includes removing existing compiler warnings about duplicate OPENSSL definitions)
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
2 index 7b1278044e..861bbc5844 100644
3 --- a/deps/openssl/openssl.gyp
4 +++ b/deps/openssl/openssl.gyp
5 @@ -7,21 +7,17 @@
6 'conditions': [
7 ['OS == "win"', {
8 'obj_dir_abs': '<(PRODUCT_DIR_ABS)/obj',
9 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj/lib',
10 }],
11 ['GENERATOR == "ninja"', {
12 'obj_dir_abs': '<(PRODUCT_DIR_ABS)/obj',
13 'modules_dir': '<(PRODUCT_DIR_ABS)/obj/lib/openssl-modules',
14 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj/lib',
15 }, {
16 'obj_dir_abs%': '<(PRODUCT_DIR_ABS)/obj.target',
17 'modules_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl/lib/openssl-modules',
18 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl',
19 }],
20 ['OS=="mac"', {
21 'obj_dir_abs%': '<(PRODUCT_DIR_ABS)/obj.target',
22 'modules_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl/lib/openssl-modules',
23 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl',
24 }],
25 ],
26 },
27 @@ -57,7 +53,6 @@
28 ['node_shared_openssl=="false"', {
29 'defines': [
30 'MODULESDIR="<(modules_dir)"',
31 - 'OPENSSLDIR="<(openssl_dir)"',
32 ]
33 }],
34 ],
35 diff --git a/deps/openssl/openssl_common.gypi b/deps/openssl/openssl_common.gypi
36 index d4e39e8416..256eb7d180 100644
37 --- a/deps/openssl/openssl_common.gypi
38 +++ b/deps/openssl/openssl_common.gypi
39 @@ -49,6 +49,7 @@
40 'WARNING_CFLAGS': ['-Wno-missing-field-initializers']
41 },
42 'defines': [
43 + 'OPENSSLDIR="/System/Library/OpenSSL/"',
44 'ENGINESDIR="/dev/null"',
45 ],
46 }, 'OS=="solaris"', {
Impact
The openssl.cnf file contains security configuration information for OpenSSL. It’s possible that changing things like default ciphers could affect the security of an application using it.
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.8%