CVE-2022-44749: ZIP Vulnerability Discovered in KNIME Analytics Platform, Allowing Attackers to Overwrite Files

CVE-2022-44749 is a recently discovered directory traversal vulnerability affecting the KNIME Analytics Platform versions 3.2. and above. This privately disclosed vulnerability has been given the nickname 'Zip-Slip' due to its nature to compromise the integrity of the user's system while extracting ZIP archives. The exploit allows an attacker to create malicious KNIME workflow files that can overwrite arbitrary files once opened by a user.

Impact

The vulnerability's impact includes the risk of data integrity loss, potential errors caused in other software, and even the possibility of remote code execution. For a successful attack, the attacker would need prior knowledge about the specific file locations on the target user's system. It's crucial to note that the compromised files are overwritten immediately after opening the malicious workflow, and the user receives an error notification only after the files have been overwritten.

Exploit Details

As this vulnerability affects ZIP archive extraction routines, the attacker takes advantage of the directory traversal flaws to craft a KNIME workflow containing malicious ZIP entries. In this case, the attacker includes files with relative paths that point to the target directories the attacker aims to overwrite.

The following code snippet illustrates how a malicious file entry can be added to a ZIP archive

import zipfile

malicious_entry = "file_to_overwrite_here"
with zipfile.ZipFile("malicious_workflow.knime", "w") as zip:
    zip.writestr("../../../../../../path/to/target/directory/" + malicious_entry, "malicious content")

In the example, the malicious_entry variable contains the name of the file that should be overwritten, and the relative path (../../../../../../path/to/target/directory/) refers to the directory where the target file is present. The ZIP archive (malicious_workflow.knime) created in this manner contains the file entry that overwrites an existing file when opened in KNIME Analytics Platform.

Original References:

The 'Zip-Slip' vulnerability was initially discovered and documented in 2018 by the security research team at Snyk. Here are the links to their original findings and resources for further reference:

1. Snyk's blog post about the 'Zip-Slip' vulnerability: https://snyk.io/blog/zip-slip-vulnerability/
2. Technical details and examples in multiple languages: https://github.com/snyk/zip-slip-vulnerability
3. CVE-2018-100220: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-100220

Mitigation

The KNIME Analytics Platform development team has acknowledged the issue and is currently working on a patch to prevent the exploitation of this vulnerability. Until an official fix is released, users should exercise caution when opening or importing untrusted KNIME workflows.

Concluding Thoughts

This directory traversal vulnerability, CVE-2022-44749, highlights the importance of thorough security testing and validation for all software components, including those responsible for archive management. Users of KNIME Analytics Platform, especially those utilizing versions 3.2. or later, are urged to remain vigilant to prevent unauthorized file modification or potential security breaches.

Timeline

Published on: 11/24/2022 07:15:00 UTC
Last modified on: 11/30/2022 19:48:00 UTC