Cyber Security

Vulnerabilities in NPM allowed threat actors to publish new version of any package

GitHub security researchers have released details of two vulnerabilities they discovered in NPM, the Node.js package manager, one of which could allow a malicious actor to publish new versions of any package without proper authorization.

In a blog post published on November 15, GitHub CISO Mike Hanley revealed that the first issue, which was discovered on October 26, allowed users to gain access to all private NPM packages created before October 20.

This exposure was during routine maintenance of one of GitHub’s publicly available NPM services, Hanley explained.

During maintenance on the database that powers the public NPM replica at replicate.npmjs.com, he wrote, records were created that could expose the names of private packages.

“This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed.

“No other information, including the content of these private packages, was accessible at any time,” revealed Hanley.

Affected package names were in the format of ‘@owner/package’ and were created prior to October 20. They were exposed between October 21 at around 13:00 UTC and October 29 15:00 UTC, the blog post explained.

“On October 29, all records containing private package names were removed from the replication database,” said Hanley, who noted that the data had also been “consumed by third-parties who may have replicated the data elsewhere”.

To mitigate this issue from recurring during maintenance, Hanley said that GitHub has made changes “to ensure records containing private package names are not generated during this process”.

Inconsistent authorization checks

The second and most pressing issue was a vulnerability that would allow an attacker to publish new versions of any NPM package using an account without proper authorization.

It was reported to GitHub’s bug bounty program on November 2 and was patched within six hours, said Hanley.

The vulnerability was present due to inconsistent authorization checks and validation of data across several microservices that handle requests to the NPM registry.

Hanley explained: “In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths.

“However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”

Advertisement. Scroll to continue reading.

GitHub has found no evidence of in-the-wild exploitation – although Hanley admitted that the vulnerability predates the keeping of records, dating back to September 2020, that can provide such evidence.

The issue has been fixed by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

Further improvements

In the blog post, Hanley also said GitHub was “determined to continue to invest in the security of NPM and the broader software security supply chain”.

Part of this commitment includes introducing automated malware detection and stronger authentication requirements for users “within the coming weeks”.

Source: https://portswigger.net/daily-swig/vulnerabilities-in-npm-allowed-threat-actors-to-publish-new-version-of-any-package

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts. This campaign utilizes a combination of repository...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version