Heavily used Node.js package has a code injection vulnerability:
A heavily downloaded Node.js library has a high severity command injection vulnerability revealed this month.
Tracked as CVE-2021-21315, the bug impacts the "systeminformation" npm component which gets about 800,000 weekly downloads and has scored close to 34 million downloads to date since its inception.
Put simply, "systeminformation" is a lightweight Node.js library that developers can include in their project to retrieve system information related to CPU, hardware, battery, network, services, and system processes.
[...] "This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser)," states the developer behind the component.
However, the presence of the code injection flaw within "systeminformation" meant an attacker could execute system commands by carefully injecting payload within the unsanitized parameters used by the component.
[...] Users of "systeminformation" should upgrade to versions 5.3.1 and above to resolve the CVE-2021-21315 vulnerability in their application.
Related Stories
Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.
The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon's S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.
[...] "We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days," researchers from Phylum, the security firm that spotted the packages, wrote. "This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time."
[...] In the past 17 months, threat actors backed by the North Korean government have targeted developers twice, one of those using a zero-day vulnerability.
Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March, just weeks before it was to be included in a production release of the XZ Utils[...] The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.
In May, Phylum disrupted a separate campaign that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.
"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum researchers wrote. "Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."
Related stories on SoylentNews:
Trojanized jQuery Packages Found on Npm, GitHub, and jsDelivr Code Repositories - 20240713
48 Malicious Npm Packages Found Deploying Reverse Shells on Developer Systems - 20231104
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google - 20220504
Dev Corrupts NPM Libs 'Colors' and 'Faker' Breaking Thousands of Apps - 20220111
Malicious NPM Packages are Part of a Malware "Barrage" Hitting Repositories - 20211213
Heavily Used Node.js Package Has a Code Injection Vulnerability - 20210227
Discord-Stealing Malware Invades NPM Packages - 20210124
Here's how NPM Plans to Improve Security and Reliability in 2019 - 20181217
NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error - 20180530
Backdoored Python Library Caught Stealing SSH Credentials - 20180511
(Score: 2) by PiMuNu on Sunday February 28 2021, @03:56PM (3 children)
Does "vulnerability" mean that the server is vulnerable or the client? i.e. is the vulnerability that the server side code says "what is your CPU" and I respond with a crafted response that overflows a buffer (or whatever) on the server and allows me to do Evil Things to the server?
(Score: 3, Informative) by leon_the_cat on Sunday February 28 2021, @04:55PM (1 child)
Server side so yeah you can do evil things to their server if they don't do some sanity check.
(Score: 2) by PiMuNu on Sunday February 28 2021, @09:06PM
Thanks
(Score: 1, Insightful) by Anonymous Coward on Sunday February 28 2021, @07:11PM
It's javascript, so the server is vulnerable and the client is vulnerable... it's vulnerable all the way down.
(Score: 1) by The Mighty Buzzard on Sunday February 28 2021, @06:06PM (4 children)
Look, I can see a noob contributor missing sanitizing a piece of user input. You should fucking well know better if you're maintaining project code though and you should be checking every last line.
My rights don't end where your fear begins.
(Score: 2, Flamebait) by Runaway1956 on Sunday February 28 2021, @07:35PM (1 child)
Code injection is just what we need to defeat the COVIDS!!! And, what about the obverse? Can we siphon away COVID code with it?
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 1, Offtopic) by c0lo on Monday March 01 2021, @02:44AM
No need to siphon COVID with npm, your former imperial masters already gifted theirs to you [nymag.com].
Looks like you're nursing it well, the infection rate stopped dropping about 2 weeks ago [worldometers.info]. 30-70% more transmissible and maybe 30% more lethal [webmd.com]. You interested in getting more data points? For science, of course.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2, Insightful) by Anonymous Coward on Sunday February 28 2021, @11:51PM (1 child)
Let's not hold our breath. Still seeing SQL injection attacks, [bankinfosecurity.com] 20 years after everyone with a brain had solved the problem.
(Score: 0) by Anonymous Coward on Monday March 01 2021, @06:52AM
Tell me about it. Everybody knows you should use mysql_escape_string(). Amateurs. </sarcasm>
(Score: 2, Funny) by Anonymous Coward on Sunday February 28 2021, @07:28PM (1 child)
How long until some dumb-ass millennial who's too lazy to write their own code looks for a library to assign a value to a variable?
(Score: 1, Funny) by Anonymous Coward on Sunday February 28 2021, @11:53PM
Isn't that literally half of github?