Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

HD-2024-1409

Denial of Service
Affects
Node.js
14.21.3 LTS 16.20.2 LTS
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Security Advisory: Node.js v14 and many Node v16 versions still use a version of openssl which may expose them to a denial of service. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.  

Details

Module Info

Affected packages: openssl

Affected versions:

1.0.2 up to (excluding)1.0.2zj
1.1.1 up to (excluding) 1.1.1x
3.0.0 up to (excluding) 3.0.13
3.1.0 up to (excluding) 3.1.5

Repository: https://github.com/openssl/openssl

Published packages: openssl

Vulnerability Info

This is considered a medium severity issue and can be found in several branches of openssl and can affect projects that consume these versions.

OpenSSL is able to use a file in the PKCS12 format to hold certificates and keys. While the PKCS12 specification allows certain fields to be NULL, OpenSSL does not correctly check for this case. In the event that the field is null, OpenSSL attempts to dereference a null pointer, which results  in OpenSSL crashing.

If an application processes PKCS12 files using the OpenSSL APIs then that application will be vulnerable to this issue. 

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). 

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Steps To Reproduce

  • Set up a machine with a version of Node that relies on OpenSSL from 1.0.2 to 3.1.5 before the patch was applied.
  • Create or modify a PKCS12 file where certain fields that are allowed to be NULL in the specification are indeed NULL. Start with a key:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out malicious.p12 -passout pass:password

  • Modify the file with a hex editor or software that can modify the file. Insert null values for certain fields.
  • Use a vulnerable version of OpenSSL that uses the malicious key and observe that it crashes.

A workaround is not available.

Mitigation

OpenSSL is a popular library and is frequently bundled with other packages such as Node.js.  Ensure that you are running a version of Node that continues to maintain dependency updates to avoid security gaps in your software.  Update to the latest version of Node or make use of commercial support from a vendor like HeroDevs.

Additional Resources

What is a HeroDevs Security Advisory?
Vulnerability Details
ID
HD-2024-1409
PROJECT Affected
Node.js
Versions Affected
14.21.3 LTS 16.20.2 LTS
Published date
October 15, 2024
≈ Fix date
August 9, 2023
Fixed in
Node.js NES
Severity
Medium
Category
Denial of Service