In this week’s digest, we will discuss:
- Linode Terraform (TF) Provider Deterministic Password Creation
- Apache Commons Text Remote Code Execution (RCE)
- Vm2 sandbox escape to RCE
Linode Terraform Provider Creates a Non-seeded deterministic Password
A security vulnerability was discovered in the Linode Terraform Provider, a plugin designed for automating provisioning Linode instances using Terraform. Terraform is an IaC tool that focuses on creating, modifying, and destroying servers instead of managing the software on those servers.
The vulnerability affects Linodes created with the Terraform plugin version v1.29.3. In the Terraform provider, when a Linode is created without providing a root password, the TF provider uses a randomly generated password. The affected plugin version seems to generate deterministic passwords due to a change in our password generation functionality. The vulnerable component involved the usage of the math/rand Go package instead of the crypto/rand for random password production. Additionally, the math/rand package was not being seeded.
To protect your future deployments, please upgrade the Linode Terraform Provider tool to the latest version, currently v1.29.4. If you are not able to upgrade immediately, you can also change the root password on the instances deployed through the affected plugin.
If you need further assistance, or if you have any questions, please reach out to support@linode.com.
Apache Commons Text Remote Code Execution (RCE)
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.
CVE-2022-42889 is an remote code execution that exists in Apache Commons Text version 1.5 through 1.9 where the set of default Lookup instances (from the StringSubstitutor class) included interpolators that could result in arbitrary code execution or contact with remote servers. The vulnerable lookups are:
- “script” – Executes expressions using the JVM script execution engine (javax.script)
- “dns” – Resolves DNS records
- “url” – Load values from URLs
Additionally, any remote server applications using interpolation defaults in the affected versions can be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
The way to determine if you have this library installed is to run `find / -type f -name ‘commons-text*.jar’`, which will give us any .jar file with the prefix of commons-text.
The fix is available starting with Apache Commons Text 1.10.0. The fix disables the dns, url, and script lookup interpolators by default. Other workarounds can also be applied, which include sanitizing input in places where you accept and process untrusted data.
Vm2 sandbox escape to RCE
vm2 is a widely-used npm package that acts as a sandbox where you can run untrusted code with allowlisted Node’s built-in modules. This package is very popular with over 16 million downloads a month, making it a worthy vulnerability to leverage against an application with the vm2 package installed.
CVE-2022-36067 is a remote code execution that exists in the vm2 sandbox library where a user could escape the sandbox of vm2 and get access to the host running the sandbox. The vulnerability currently affects versions 3.9.10 and below.
This vulnerability involves using the prepareStackTrace method, which is a function that allows developers to customize the call stack of an error that occurred in the application. The prepareStackTrace method is an “error” constructor that creates an “Error” object. When an error occurs and “stack” property of the thrown error object is accessed, Node.js will call this method while providing it with a string representation of the error alongside an array of “CallSite” objects as arguments.
The researchers started off by overriding the global Error object with their own object. This new object enables the attacker to use the prepareStackTrace function in order to leverage a non-sandboxed function called “getThis”, which is a function used for returning the “this” object in a stack frame. This stack frame object is a non-sandboxed object that could allow an to execute functions that will escape the sandbox and execute code on the host that the code is running on.
The fix is available starting with vm2 3.9.11.
Comments