Bug 1159352 - (CVE-2019-16777) VUL-0: CVE-2019-16777,CVE-2019-16776,CVE-2019-16775: nodejs6,nodejs8,nodejs10,nodejs12: Arbitrary path overwrite and access via "bin" field
(CVE-2019-16777)
VUL-0: CVE-2019-16777,CVE-2019-16776,CVE-2019-16775: nodejs6,nodejs8,nodejs10...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2019-16775:4.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-17 10:26 UTC by Alexandros Toptsoglou
Modified: 2021-09-03 18:36 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer (10.00 KB, application/octet-stream)
2019-12-17 12:52 UTC, Adam Majer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-12-17 10:26:32 UTC
Binary Planting with the npm CLI
tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access.

The Vulnerabilities
In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.

In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location.  (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)

A mitigating factor for both vulnerabilities is that a malicious actor would have to get their victim to install the package with the specially crafted bin entry.  However, as we have seen in the past, this is not an insurmountable barrier.

Current Risk
The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit.  That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry.

We will continue monitoring, and will take action to prevent any bad actors from exploiting this vulnerability in the future.  However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.

The Fix
The package.json parsing libraries in use in npm v6.13.3 were updated such that they would sanitize and validate all entries in the bin field to remove leading slashes, . and .. path entries, and other means of path escape, using the well tested and highly reliable path utility built into Node.js.

The fix was reviewed by npm, Inc.’s security team, and showed that it prevented the arbitrary path manipulation reported.

The bin script linking libraries in use in npm v6.13.4 were updated such that, when installing binary entries of top-level globally installed packages, they will only overwrite existing binary files if they are currently installed on behalf of the same package being installed.  For example, npm install –global foo could overwrite /usr/local/bin/foo if and only if /usr/local/bin/foo is currently a link to a previously installed version of foo.

This second fix was also reviewed by npm, Inc.’s security team, and showed that it prevented the bin file overwriting exploit.

To patch both vulnerabilities, please run npm install -g npm@6.13.4 as soon as possible.

Thank you!
The vulnerabilities were responsibly reported by Daniel Ruf, and we greatly appreciate Daniel’s help in keeping our community safe.

References 

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
https://github.com/nodejs/node/pull/30904
Comment 1 Alexandros Toptsoglou 2019-12-17 10:55:02 UTC
With this version update the following CVEs are taken care: 

CVE-2019-16777:
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

CVE-2019-16776:

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

CVE-2019-16775:

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed.

This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Comment 2 Adam Majer 2019-12-17 12:52:50 UTC
Created attachment 826263 [details]
reproducer

1. tar cvf tests.tar
2. touch /tmp/overwrite
3. mkdir foo
4. cd foo
5. npm init
6. NPM_UNDER_TEST install --save ../cve_test

On vulnerable system, this will create

/tmp/overwrite will be overwritten by symlink to empty index.js
/tmp/testing will have a symlink to empty index.js
/tmp/bash will be a symlink to /bin/bash

To re-run the test, since the ../cve_test is a saved dependency, in the foo directory

1. rm -rf node_modules; rm -f /tmp/{overwrite,testing,bash}; touch /tmp/overwrite
2. NPM_UNDER_TEST install

On a non-vulnerable system, this will generate an error 

> ENOENT: no such file or directory, chmod '/home/adamm/foo/node_modules/cve_test/bin/bash'
> enoent This is related to npm not being able to find a file.


To verify other two fixes, edit cve_test/package.json and remove the entry for /bin/bash and re-run the test. This should not create any entries under /tmp and only create symlinks under foo/node_modules/.bin/{testing,overwrite} that point to the index.js script.
Comment 3 Swamp Workflow Management 2019-12-20 10:51:35 UTC
This is an autogenerated message for OBS integration:
This bug (1159352) was mentioned in
https://build.opensuse.org/request/show/758472 Factory / nodejs12
https://build.opensuse.org/request/show/758473 Factory / nodejs10
Comment 7 Swamp Workflow Management 2019-12-27 17:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1159352) was mentioned in
https://build.opensuse.org/request/show/759700 Factory / nodejs10
Comment 10 Swamp Workflow Management 2020-01-08 17:13:38 UTC
SUSE-SU-2020:0043-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1149792,1159352
CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    nodejs8-8.17.0-3.25.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    nodejs8-8.17.0-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-01-10 14:12:02 UTC
SUSE-SU-2020:0063-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1149792,1159352,1159812
CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.18.0-1.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-01-15 05:10:59 UTC
openSUSE-SU-2020:0059-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1149792,1159352
CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
openSUSE Leap 15.1 (src):    nodejs8-8.17.0-lp151.2.9.1
Comment 13 Swamp Workflow Management 2020-01-15 14:12:20 UTC
SUSE-SU-2020:0104-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1149792,1159352,1159812
CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    nodejs10-10.18.0-1.15.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    nodejs10-10.18.0-1.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-01-28 14:16:19 UTC
SUSE-SU-2020:0247-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1159352
CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    nodejs6-6.17.1-11.30.1
SUSE OpenStack Cloud Crowbar 8 (src):    nodejs6-6.17.1-11.30.1
SUSE OpenStack Cloud 7 (src):    nodejs6-6.17.1-11.30.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs6-6.17.1-11.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2020-02-05 07:36:10 UTC
done
Comment 17 Swamp Workflow Management 2020-02-20 17:11:32 UTC
SUSE-SU-2020:0429-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1159352,1163102,1163103,1163104
CVE References: CVE-2019-15604,CVE-2019-15605,CVE-2019-15606,CVE-2019-16775,CVE-2019-16776,CVE-2019-16777
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.15.0-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.