By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

HD-2024-1409

Denial of Service

Affects

Node.js

14.21.3 LTS 16.20.2 LTS

Node.js

Node.js NES

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Security Advisory: Node.js v14 and many Node v16 versions still use a version of openssl which may expose them to a Denial of Service vulnerability. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.

‍

Details

Module Info

‍Product: Node.js
‍Affected packages: openssl
‍Affected versions: >=1.0.2 <1.0.2zj, >=1.1.1 <1.1.1x, >=3.0.0 <3.0.13, >=3.1.0 <3.1.5
‍GitHub repository: https://github.com/openssl/openssl
‍Published packages: https://openssl-library.org/source/index.html‍
Package manager: -

‍

Vulnerability Info

This is considered a medium-severity issue and can be found in several branches of openssl and can affect projects that consume these versions.

OpenSSL is able to use a file in the PKCS12 format to hold certificates and keys. While the PKCS12 specification allows certain fields to be NULL, OpenSSL does not correctly check for this case. In the event that the field is null, OpenSSL attempts to dereference a null pointer, which results in OpenSSL crashing.

If an application processes PKCS12 files using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

‍

Steps To Reproduce

Set up a machine with a version of Node.js that relies on OpenSSL from version 1.0.2 to 3.1.5 before the patch was applied.
Create or modify a PKCS12 file where certain fields that are allowed to be NULL in the specification are indeed NULL. Start with a key:

openssl pkcs12 -export \
  -in cert.pem -inkey key.pem \
  -out malicious.p12 -passout pass:password

Modify the file with a hex editor or software that can modify the file. Insert null values for certain fields.
Use a vulnerable version of OpenSSL that uses the malicious key and observe that it crashes.

‍

Mitigation

OpenSSL is a popular library and is frequently bundled with other packages such as Node.js. Ensure that you are running a version of Node.js that continues to maintain dependency updates to avoid security gaps in your software. Update to the latest version of Node.js or make use of commercial support from a vendor like HeroDevs.

‍