Warnings over Node.js flaw that could lead to DoS attacks

Node.js admits to two critical security flaws but delays patching

Java drives new cross-platform DDoS bot malware
Java drives new cross-platform DDoS bot malware

TheNode.js Foundation has revealed a couple of bugs within its JavaScript software that could lead to major denial of service attacks against websites using the code. The issues affects versions of Node.js from version 0.12 up to version 5.

In a bulletin issued by the Foundation, the popular server-id JavaScript platform has two vulnerabilities. One covers "a high-impact denial-of-service vulnerability" while the other is a "low-impact V8 out-of-bounds access vulnerability." V8 is the JavaScript engine developed by Google and used by Node.js.

The DoS issue is labelled as CVE 2015-8027, while the access problem is identified as CVE-2015-6764. According to the bulletin, the first bug could allow a hacker to launch a denial of service. The second bug could enable a hacker to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application.

The issues were disclosed last week with patches due to be released yesterday. However, the Foundation announced that it will now delay releasing the patches until Friday. It said this was because of dependencies on OpenSSL, which itself has been found to contain further vulnerabilities.

“Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2,” stated an advisory on the Node.js website. “As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users.”

It said the move to Friday was “unfortunate” but has to take into account of “the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical.”

“Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release,” the organisation said.

Wim Remes, strategic services manager EMEA at Rapid7, said vulnerabilities in Node.js “impacts organisations across verticals, from ecommerce websites, over healthcare organisations, to critical infrastructure.”

“Hackers will leverage any vulnerability that allows them to gain control over a target. Denial of Service vulnerabilities are mostly used for targeted hacktivism or extortion purposes. The out-of-bounds access vulnerability, as it provides direct access to an infrastructure, would be a welcome tool in the arsenal of any digital criminal,” he said.

“With access to part of the infrastructure, an attacker can pivot further through the infrastructure, destroy information, exfiltrate information, install spying software, etc.  A vulnerability that provides direct access is the first tool an attacker needs to achieve their goals.”

Remes added that in this case patching is about the only thing an organisation can do.

“There are obviously ways to stop attacks using Web Application Firewalls or Intrusion Prevention Systems but given the severity of the issues, I would definitely recommend to prioritise patching. Additionally, making sure that any system which doesn't need to be on the internet is not reachable by external users is something that makes sense too,” said Remes.