Cyber Security

Node.js developers fix high-risk vulnerability that could allow remote domain hijacking

vulnerability in Node.js that could allow a remote actor to perform domain hijacking attacks has been fixed.

The maintainers of the JavaScript runtime environment have released a security advisory today (August 12) warning users to update to the latest version to protect against a series of bugs.

The first vulnerability (CVE-2021-3672/CVE-2021-2293) is an improper handling of untypical characters in domain names, which opened the door to remote code execution (RCE), or cross-site scripting (XSS) exploits.

The flaw, which was classed as high severity, also caused application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library.

This could lead to the output of wrong hostnames – causing domain hijacking – and injection vulnerabilities in applications using the library.

A second vulnerability (CVE-2021-22939) is the incomplete validation of rejectUnauthorized parameter.

If the Node.js HTTPS API was used incorrectly and undefined was in passed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificate would have been accepted. It was classed as low severity.

Finally, a use-after-free flaw (CVE-2021-22930) which could allow an attacker to exploit memory corruption to change process behavior was included as a follow-up fix after previous mitigations did not completely resolve the issue.

All users should upgrade to the latest version of Node.js to be protected against the flaws. More information can be found at the Node.js blog.

Injection attacks reloaded

The security advisory was released on the same day that a research paper (PDF) related to this topic was published.

Researchers Philipp Jeitner and Haya Shulman are due to discuss their work at the Usenix conference, which is held virtually today.

In the research, titled ‘Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS’, they demonstrate “a new method to launch string injection attacks by encoding malicious payloads into DNS records”.

Source: https://portswigger.net/daily-swig/node-js-developers-fix-high-risk-vulnerability-that-could-allow-remote-domain-hijacking

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version