Vulnerabilities > CVE-2018-7160 - Authentication Bypass by Spoofing vulnerability in Nodejs Node.Js

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
nodejs
CWE-290
nessus
NVD
Published: 2018-05-17
Updated: 2023-11-07

Summary

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

Vulnerable Configurations

Part Description Count
Application
Nodejs
69

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Exploitation of Session Variables, Resource IDs and other Trusted Credentials
    Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
    When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller when constructing a request would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash. For instance, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) II M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work just as well with another hash function like SHA1.
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1183-1.NASL
    descriptionThis update for nodejs6 fixes the following issues : - Fix some node-gyp permissions - New upstream LTS release 6.14.1 : - Security fixes : + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463) + CVE-2018-7158: Fix for
    last seen2020-03-21
    modified2019-01-02
    plugin id120022
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120022
    titleSUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:1183-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2018:1183-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(120022);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/20");

  script_cve_id("CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160");

  script_name(english:"SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:1183-1)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for nodejs6 fixes the following issues :

  - Fix some node-gyp permissions

  - New upstream LTS release 6.14.1 :

  - Security fixes :

  + CVE-2018-7160: Fix for inspector DNS rebinding
    vulnerability (bsc#1087463)

  + CVE-2018-7158: Fix for 'path' module regular expression
    denial of service (bsc#1087459)

  + CVE-2018-7159: Reject spaces in HTTP Content-Length
    header values (bsc#1087453)

  - New upstream LTS release 6.13.1 :

  - http,tls: better support for IPv6 addresses

  - console: added console.count() and console.clear()

  - crypto :

  + expose ECDH class

  + added cypto.randomFill() and crypto.randomFillSync()

  + warn on invalid authentication tag length

  - deps: upgrade libuv to 1.16.1

  - dgram: added socket.setMulticastInterface()

  - http: add agent.keepSocketAlive and agent.reuseSocket as to allow
overridable keep-alive behavior of Agent

  - lib: return this from net.Socket.end()

  - module: add builtinModules api that provides list of all
    builtin modules in Node

  - net: return this from getConnections()

  - promises: more robust stringification for unhandled
    rejections

  - repl: improve require() autocompletion

  - src :

  + add openssl-system-ca-path configure option

  + add --use-bundled-ca --use-openssl-ca check

  + add process.ppid

  - tls: accept lookup option for tls.connect()

  - tools,build: a new macOS installer!

  - url: WHATWG URL api support

  - util: add %i and %f formatting specifiers

  - remove any old manpage files in %pre from before
    update-alternatives were used to manage symlinks to
    these manpages.

  - Add Recommends and BuildRequire on python2 for npm.
    node-gyp requires this old version of python for now.
    This is only needed for binary modules.

  - even on recent codestreams there is no binutils gold on
    s390 only on s390x

  - New upstream LTS release 6.12.3 :

  - v8: profiler-related fixes

  - mostly documentation and test related changes

  - Enable CI tests in %check target

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1087453"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1087459"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1087463"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2018-7158/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2018-7159/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2018-7160/"
  );
  # https://www.suse.com/support/update/announcement/2018/suse-su-20181183-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?674d3723"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use the SUSE recommended
installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE OpenStack Cloud 7:zypper in -t patch
SUSE-OpenStack-Cloud-7-2018-825=1

SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch
SUSE-SLE-Module-Web-Scripting-12-2018-825=1

SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2018-825=1"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs6-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs6-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs6-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:npm6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES12", sp:"0", reference:"nodejs6-6.14.1-11.12.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"nodejs6-debuginfo-6.14.1-11.12.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"nodejs6-debugsource-6.14.1-11.12.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"nodejs6-devel-6.14.1-11.12.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"npm6-6.14.1-11.12.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs6");
}
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5A9BBB6E32D311E8A7696DAABA161086.NASL
    descriptionNode.js reports : Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160) Node.js 6.x and later include a debugger protocol (also known as
    last seen2020-06-01
    modified2020-06-02
    plugin id108738
    published2018-03-30
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108738
    titleFreeBSD : node.js -- multiple vulnerabilities (5a9bbb6e-32d3-11e8-a769-6daaba161086)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(108738);
  script_version("1.4");
  script_cvs_date("Date: 2018/11/10 11:49:46");

  script_cve_id("CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160");

  script_name(english:"FreeBSD : node.js -- multiple vulnerabilities (5a9bbb6e-32d3-11e8-a769-6daaba161086)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Node.js reports : Node.js Inspector DNS rebinding vulnerability
(CVE-2018-7160) Node.js 6.x and later include a debugger protocol
(also known as 'inspector') that can be activated by the --inspect and
related command line flags. This debugger service was vulnerable to a
DNS rebinding attack which could be exploited to perform remote code
execution. 'path' module regular expression denial of service
(CVE-2018-7158) The 'path' module in the Node.js 4.x release line
contains a potential regular expression denial of service (ReDoS)
vector. The code in question was replaced in Node.js 6.x and later so
this vulnerability only impacts all versions of Node.js 4.x. Spaces in
HTTP Content-Length header values are ignored (CVE-2018-7159) The HTTP
parser in all current versions of Node.js ignores spaces in the
Content-Length header, allowing input such as Content-Length: 1 2 to
be interpreted as having a value of 12. The HTTP specification does
not allow for spaces in the Content-Length value and the Node.js HTTP
parser has been brought into line on this particular difference."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/"
  );
  # https://vuxml.freebsd.org/freebsd/5a9bbb6e-32d3-11e8-a769-6daaba161086.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f65da06c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"node4<4.9.0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"node6<6.14.0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"node8<8.11.0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"node<9.10.0")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyMisc.
    NASL idNODEJS_2018_MAR.NASL
    descriptionThe version of Node.js installed on the remote host is 4.x prior to 4.9.0, 6.x prior to 6.14.0, 8.x prior to 8.11.0 or 9.x prior to 9.10.0. It, therefore, is affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118933
    published2018-11-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118933
    titleNode.js multiple vulnerabilities (March 2018 Security Releases).
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118933);
  script_version("1.3");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id("CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160");

  script_name(english:"Node.js multiple vulnerabilities (March 2018 Security Releases).");
  script_summary(english:"Checks the Node.js version.");

  script_set_attribute(attribute:"synopsis", value:
"Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Node.js installed on the remote host is 4.x prior to 4.9.0,
6.x prior to 6.14.0, 8.x prior to 8.11.0 or 9.x prior to 9.10.0.
It, therefore, is affected by multiple vulnerabilities.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d516633a");
  script_set_attribute(attribute:"solution", value:
"Upgrade Node.js to a recommended by vendor version or above");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7160");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"agent", value:"all");


  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "nodejs_win_installed.nbin");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("installed_sw/Node.js");

  exit(0);
}

include("vcf.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

win_local = FALSE;
os = get_kb_item_or_exit("Host/OS");
if ("windows" >< tolower(os)) win_local = TRUE;

app_info = vcf::get_app_info(app:"Node.js", win_local:win_local);

vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { "min_version" : "4.0.0", "fixed_version" : "4.9.0" },
  { "min_version" : "6.0.0", "fixed_version" : "6.14.0" },
  { "min_version" : "8.0.0", "fixed_version" : "8.11.0" },
  { "min_version" : "9.0.0", "fixed_version" : "9.10.0" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-444.NASL
    descriptionThis update for nodejs6 fixes the following issues : - Fix some node-gyp permissions - New upstream LTS release 6.14.1 : - Security fixes : + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463) + CVE-2018-7158: Fix for
    last seen2020-06-05
    modified2018-05-11
    plugin id109717
    published2018-05-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109717
    titleopenSUSE Security Update : nodejs6 (openSUSE-2018-444)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-444.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(109717);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2018-7158", "CVE-2018-7159", "CVE-2018-7160");

  script_name(english:"openSUSE Security Update : nodejs6 (openSUSE-2018-444)");
  script_summary(english:"Check for the openSUSE-2018-444 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for nodejs6 fixes the following issues :

  - Fix some node-gyp permissions

  - New upstream LTS release 6.14.1 :

  - Security fixes :

  + CVE-2018-7160: Fix for inspector DNS rebinding
    vulnerability (bsc#1087463)

  + CVE-2018-7158: Fix for 'path' module regular expression
    denial of service (bsc#1087459)

  + CVE-2018-7159: Reject spaces in HTTP Content-Length
    header values (bsc#1087453)

  - New upstream LTS release 6.13.1 :

  - http,tls: better support for IPv6 addresses

  - console: added console.count() and console.clear()

  - crypto :

  + expose ECDH class

  + added cypto.randomFill() and crypto.randomFillSync()

  + warn on invalid authentication tag length

  - deps: upgrade libuv to 1.16.1

  - dgram: added socket.setMulticastInterface()

  - http: add agent.keepSocketAlive and agent.reuseSocket as to
allow overridable keep-alive behavior of Agent

  - lib: return this from net.Socket.end()

  - module: add builtinModules api that provides list of all
    builtin modules in Node

  - net: return this from getConnections()

  - promises: more robust stringification for unhandled
    rejections

  - repl: improve require() autocompletion

  - src :

  + add openssl-system-ca-path configure option

  + add --use-bundled-ca --use-openssl-ca check

  + add process.ppid

  - tls: accept lookup option for tls.connect()

  - tools,build: a new macOS installer!

  - url: WHATWG URL api support

  - util: add %i and %f formatting specifiers

  - remove any old manpage files in %pre from before
    update-alternatives were used to manage symlinks to
    these manpages.

  - Add Recommends and BuildRequire on python2 for npm.
    node-gyp requires this old version of python for now.
    This is only needed for binary modules.

  - even on recent codestreams there is no binutils gold on
    s390 only on s390x

  - New upstream LTS release 6.12.3 :

  - v8: profiler-related fixes

  - mostly documentation and test related changes

  - Enable CI tests in %check target

This update was imported from the SUSE:SLE-12:Update update project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087453"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087459"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087463"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nodejs6 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs6-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs6-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs6-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:npm6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.3", reference:"nodejs6-6.14.1-9.2") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"nodejs6-debuginfo-6.14.1-9.2") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"nodejs6-debugsource-6.14.1-9.2") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"nodejs6-devel-6.14.1-9.2") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"npm6-6.14.1-9.2") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs6 / nodejs6-debuginfo / nodejs6-debugsource / nodejs6-devel / etc");
}
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL63025104.NASL
    descriptionThe Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.(CVE-2018-7160) Impact An attacker usinga malicious website may be able to remotely perform arbitrary code execution. BIG-IP This vulnerability isexposed when youlicenseand provisioniRulesLX andinvoke Node.jsusing an iRule, or when you install iAppsLXanduse the BIG-IP Configuration utility (GUI). F5 SSL Orchestrator This vulnerability is exposed when using the Configuration utility (GUI) for F5 SSL Orchestrator.
    last seen2020-03-17
    modified2019-12-31
    plugin id132574
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132574
    titleF5 Networks BIG-IP : NodeJS vulnerability (K63025104)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K63025104.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(132574);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");

  script_cve_id("CVE-2018-7160");

  script_name(english:"F5 Networks BIG-IP : NodeJS vulnerability (K63025104)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The Node.js inspector, in 6.x and later is vulnerable to a DNS
rebinding attack which could be exploited to perform remote code
execution. An attack is possible from malicious websites open in a web
browser on the same computer, or another computer with network access
to the computer running the Node.js process. A malicious website could
use a DNS rebinding attack to trick the web browser to bypass
same-origin-policy checks and to allow HTTP connections to localhost
or to hosts on the local network. If a Node.js process with the debug
port active is running on localhost or on a host on the local network,
the malicious website could connect to it as a debugger, and get full
code execution access.(CVE-2018-7160)

Impact

An attacker usinga malicious website may be able to remotely perform
arbitrary code execution.

BIG-IP

This vulnerability isexposed when youlicenseand provisioniRulesLX
andinvoke Node.jsusing an iRule, or when you install iAppsLXanduse the
BIG-IP Configuration utility (GUI).

F5 SSL Orchestrator

This vulnerability is exposed when using the Configuration utility
(GUI) for F5 SSL Orchestrator."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K63025104"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K63025104."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/11/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K63025104";
vmatrix = make_array();

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["AFM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["AM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["APM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["ASM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["AVR"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["GTM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["LC"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["LTM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("14.1.0","14.0.0","13.1.0-13.1.2");
vmatrix["PEM"]["unaffected"] = make_list("14.1.0.6","14.0.0.5","13.1.3");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}

Redhat

rpms
  • rh-nodejs8-nodejs-0:8.11.4-1.el7
  • rh-nodejs8-nodejs-debuginfo-0:8.11.4-1.el7
  • rh-nodejs8-nodejs-devel-0:8.11.4-1.el7
  • rh-nodejs8-nodejs-docs-0:8.11.4-1.el7
  • rh-nodejs8-npm-0:5.6.0-8.11.4.1.el7

References