In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability – CVE-2022-23529.
Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request.
The JSON web token JavaScript module, designed and maintained by Okta's Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.
Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.
Researchers discovered that after verifying a maliciously constructed JWS token, threat actors might use JsonWebToken to execute remote malware on servers. This is aided by a bug in JsonWebToken's verify() method, which checks a JWT and returns the decoded data. The token, the secretOrPublicKey, and options are the three inputs that this method accepts.
Artur Oleyarsh of Palo Alto Networks Unit 42 said, "An attacker will need to leverage a fault within the secret management mechanism to exploit the vulnerability mentioned in this post and manipulate the secretOrPublicKey value."
The security researcher claims that the Auth0 technical team released a patch for the vulnerability in December 2022. "We appreciate the Auth0 team's competent handling of the disclosure procedure and the provision of a patch for the reported vulnerability," said Oleyarsh.
In summary, the cybersecurity analyst stressed the importance of security awareness when utilizing open-source software. It is critical that downstream users proactively identify, mitigate, and patch vulnerabilities in such products as open-source software often appears as a lucrative first entry pathway for threat actors to stage supply chain attacks. The fact that hackers are now considerably faster at exploiting recently discovered flaws, substantially reducing the time between a patch release and exploit availability, simply makes matters difficult.