ReDoS vulnerability in hawk (npm package)
Categories
(Security Assurance :: General, task)
Tracking
(Not tracked)
People
(Reporter: pmoore, Unassigned)
References
Details
(Keywords: reporter-external, sec-moderate, wsec-dos)
Attachments
(2 files)
image.png
On 1. May 2022, at 23:42, Shachar Menashe <shacharm@jfrog.com> wrote:
Hi,
My name is Shachar Menashe and I manage the vulnerability research
team at JFrog Security.
We believe that we’ve found a ReDoS (Regular Expression Denial of
Service) security issue in the package.
The ReDoS is of an exponential nature - meaning each added character
in the attacker's input increases the computation time exponentially.
The vulnerable regular expression can be found at
"/package/lib/utils.js" -
"^(?:(?:\r\n)?\s)((?:[^:]+)|(?:[[^]]+]))(?::(\d+))?(?:(?:\r\n)?\s)$/;"
The DoS can be triggered when parsing the host of an attacker-supplied
request/response with Hawk.utils.parseHost().
We have attached a PoC script that demonstrates the vulnerability
We suggest fixing the regex by avoiding overlapping repeating groups
in the regex pattern.
If this vulnerability is indeed exploitable, we would be happy to work
with you on a coordinated disclosure per the industry standards, and
can also help with validation of any fixes. If it is not, please let
us know, we’d like to know why. Of course, please feel free to reach
out with any questions or comments you might have.
Looking forward to your response,
Shachar
--
https://swampup.jfrog.com/?utm_source=email-signature&utm_medium=banner&utm_campaign=swampup-22
<hawk_test.js.safe>
|
||
Comment 1•4 years ago
|
||
Checked attached js, indeed, things are slowing down exponentially:
$ node hawk_test.js
1 parseHost: 0.099ms
2 parseHost: 0.059ms
3 parseHost: 0.005ms
4 parseHost: 0.01ms
5 parseHost: 0.032ms
6 parseHost: 0.12ms
7 parseHost: 0.466ms
8 parseHost: 2.01ms
9 parseHost: 7.899ms
10 parseHost: 30.582ms
11 parseHost: 120.076ms
12 parseHost: 482.384ms
13 parseHost: 1.921s
14 parseHost: 7.612s
15 parseHost: 30.634s
16 parseHost: 2:03.775 (m:ss.mmm)
Original RegEx was added ~10 years ago: https://github.com/mozilla/hawk/blame/918f362291c2d3046baf7ec2290922b16456874b/lib/utils.js#L45
|
Reporter | |
Updated•4 years ago
|
|
|
||
Comment 2•4 years ago
|
||
I'm not sure if there is a direct way to exploit taskcluster itself, as it would first fail on the certificate verification step or somewhere before it even reaches taskcluster api services
curl 'https://community-tc.services.mozilla.com/graphql' -X POST -H 'Host: A:0
A' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Referer: https://community-tc.services.mozilla.com/' -H 'content-type: application/json' -H 'Origin: https://community-tc.services.mozilla.com' -H 'Connection: keep-alive' --data-raw '{"operationName":"IsLoggedIn","variables":{},"query":"query IsLoggedIn {\n isLoggedIn\n}\n"}'
|
|
Reporter | |
Comment 3•4 years ago
|
||
Note, mozilla maintains and controls hawk these days (https://github.com/mozilla/hawk) and so this particular issue isn't just limited to taskcluster, but concerns hawk itself, which may be widely used outside of mozilla.
|
|
||
Comment 4•4 years ago
|
||
I'm working on a fix for the hawk library
|
|
||
Comment 5•4 years ago
|
||
Fix is here:
https://github.com/mozilla/hawk/pull/286/files
Although:
- This needs review (I don't have permissions to that repo)
- We'll need to publish new version for
hawkonce this is merged. Who can do that?
|
|
Reporter | |
Comment 6•4 years ago
|
||
(In reply to Yarik Kurmyza [:yarik] (he/him) (UTC+1) from comment #5)
Fix is here:
https://github.com/mozilla/hawk/pull/286/filesAlthough:
- This needs review (I don't have permissions to that repo)
Let's see who comments on the issue. I've updated the members https://github.com/orgs/mozilla/teams/taskcluster/members so there are several of us who can land the fix, but I'd like to solicit feedback from people that have contributed significantly to the project in the past.
- We'll need to publish new version for
hawkonce this is merged. Who can do that?
I believe we should be able to do that. Dustin coordinated the transfer to Mozilla, so we can also consult with him.
|
|
Reporter | |
Comment 7•4 years ago
|
||
Shachar,
Could you also provide feedback on Yarik's proposed fix?
Many thanks,
Pete
|
||
Comment 8•4 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #7)
Shachar,
Could you also provide feedback on Yarik's proposed fix?
Many thanks,
Pete
Yes, reviewing it shortly...
|
|
||
Comment 9•4 years ago
|
||
Pete - the fix looks good from our side
|
|
||
Comment 10•4 years ago
|
||
New version with the fix was just published by [:mboris]
https://www.npmjs.com/package/hawk/v/9.0.1
Thanks!
|
|
||
Comment 11•4 years ago
|
||
Yarik - looks good!
Pete - do you intend to open a CVE for this issue?
|
|
||
Comment 12•4 years ago
|
||
Schachar,
we've created a new security advisory on Github, but were not sure if we should publish it as is, or request CVE.
It is not published yet.
|
|
||
Comment 13•4 years ago
|
||
Since we are a CNA and work mostly with CVE IDs, and ReDoS is considered a security issue, we would appreciate a CVE allocated for this.
Usually I offer to allocate a CVE myself, but since Mozilla is a CNA it should come from you guys (if I'm not mistaken).
ReDoS usually gets a CVSS of 5.9 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
|
||
Comment 14•4 years ago
|
||
Thanks Shachar,
would you like to be included in the "Credits" section of the github advisory?
Otherwise I'm going to click "Request CVE".
Thanks
|
|
||
Comment 15•4 years ago
|
||
I'd just like the CVE to give credit to "JFrog Security Research"... other than that I don't mind
|
|
||
Comment 16•4 years ago
|
||
Great! Will add.
|
|
||
Comment 17•4 years ago
|
||
CVE was assigned by github team: CVE-2022-29167
|
||
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 18•4 years ago
|
||
Unfortunately our bounty program excludes DOS bugs.
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•