Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

HD-2024-1409

Denial of Service
Affects
Node.js
>=14.0.0 <=14.21.3, >=16.0.0 <=16.20.2
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Security Advisory: Node.js v14 and many Node v16 versions still use a version of openssl which may expose them to a Denial of Service vulnerability. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability can be found in several branches of openssl and can affect projects that consume the following OpenSSL versions:

  • versions greater than or equal to 1.0.2 but less than 1.0.2zj
  • versions greater than or equal to 1.1.1 but less than 1.1.1x
  • versions greater than or equal to 3.0.0 but less than 3.0.13
  • versions greater than or equal to 3.1.0 but less than 3.1.5

OpenSSL is able to use a file in the PKCS12 format to hold certificates and keys. While the PKCS12 specification allows certain fields to be NULL, OpenSSL does not correctly check for this case. In the event that the field is null, OpenSSL attempts to dereference a null pointer, which results in OpenSSL crashing.

If an application processes PKCS12 files using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Steps To Reproduce

  • Set up a machine with a version of Node.js that relies on OpenSSL from version 1.0.2 to 3.1.5 before the patch was applied.
  • Create or modify a PKCS12 file where certain fields that are allowed to be NULL in the specification are indeed NULL. Start with a key:
openssl pkcs12 -export \
  -in cert.pem -inkey key.pem \
  -out malicious.p12 -passout pass:password
  • Modify the file with a hex editor or software that can modify the file. Insert null values for certain fields.
  • Use a vulnerable version of OpenSSL that uses the malicious key and observe that it crashes.

Mitigation

OpenSSL is a popular library and is frequently bundled with other packages such as Node.js. Ensure that you are running a version of Node.js that continues to maintain dependency updates to avoid security gaps in your software.

Users of Node.js versions that are no longer supported should apply one of te following mitigations:

  • Upgrade affected applications to supported versions of Node.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Additional Resources

Pink arrow
Pink arrow
HD-2024-1409
HD-2024-1408
HD-2024-1407
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
HD-2024-1409
PROJECT Affected
Node.js
Versions Affected
>=14.0.0 <=14.21.3, >=16.0.0 <=16.20.2
Published date
October 15, 2024
≈ Fix date
August 9, 2023
Fixed in
Node.js NES
Severity
Medium
Category
Denial of Service