Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.
An Hijack Execution Flow vulnerability has been identified in Node.js. The issue stems from DLL Hijacking under certain conditions on Windows platforms. This weakness allows attackers to execute arbitrary code.
This vulnerability affects specific versions of the package and can result in unauthorized access. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 14.20.0, 16 < 16.20.0, 18 < 18.5.0
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 12
Vulnerability Info
In a Windows environment, if OpenSSL is installed and the configuration file exists, the system searches for providers.dll in the current user directory. This behavior can be exploited by attackers to execute arbitrary code.
This vulnerability is a result of improper DLL search order, and may allow attackers to execute arbitrary code.
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://hackerone.com/reports/1447455
Steps To Reproduce
1. Ensure that the configuration file exists at “C:\Program Files\Common Files\SSL\openssl.cnf”.
2. Place a malicious providers.dll in the current user directory and run node.exe.
Credits
- Yakir Kadkoda
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation link for upgrade instructions.
