CVE-2023-23919: Node.js OpenSSL Error Stack Not Cleared, Leading To False Positive Errors and Potential Denial Of Service

A newly discovered cryptographic vulnerability, identified as CVE-2023-23919, affects certain Node.js versions. Specifically, this vulnerability impacts Node.js versions <19.2., <18.14.1, <16.19.1, and <14.21.3. This security issue arises due to a failure to clear the OpenSSL error stack after several operations, which can lead to false positive errors and potentially cause a Denial of Service (DoS) attack.

The Problem

The issue stems from the fact that in some cases, Node.js does not adequately clear the OpenSSL error stack after specific operations that may set it. As a result, subsequent cryptographic operations on the same thread might experience false positives.

In this scenario, incorrect error state information is sent to OpenSSL, causing it to generate false positive errors. These errors, when left unchecked, can be exploited by bad actors to initiate a DoS attack on your applications.

Exploit Details

While there is no concrete evidence of an exploit being actively used in the wild to date, it's essential to understand the potential implications of not addressing this vulnerability. In a DoS attack scenario, a threat actor could exploit the vulnerability by repeatedly triggering false positive errors on the same thread, which could eventually overwhelm the target system's resources and result in a DoS.

Code Snippet

Here is a simplified example of a vulnerable code snippet that does not clear the OpenSSL error stack:

const crypto = require('crypto');
const dataToEncrypt = 'sensitive data';

// Attempt encryption with an invalid key, generating an error on the error stack.
try {
  const cipher = crypto.createCipheriv('aes-128-cbc', 'invalid-key', 'someiv');
  cipher.update(dataToEncrypt, 'utf8', 'hex');
  cipher.final('hex');
} catch (err) {
  // Log the error.
  console.error('Error encrypting:', err);
}

// Perform another unrelated cryptographic operation.
try {
  const md5hash = crypto.createHash('md5');
  md5hash.update('test-string');
  md5hash.digest('hex');
} catch (err) {
  // Log the error (false positive).
  console.error('Error hashing:', err);
}

The above code snippet attempts to encrypt some data but generates an error due to an invalid key. The error stack is not cleared, and an unrelated cryptographic operation is then performed, causing the false positive error.

Solution

The Node.js security team has released a patch for this vulnerability. Users are advised to upgrade their Node.js installations to the following versions or later:

Node.js 14.21.3

Additionally, you can find more details about this security patch in the official Node.js security releases blog post.

Here's a list of original references and sources for this vulnerability

- CVE-2023-23919
- Node.js Security Releases
- OpenSSL

In conclusion, CVE-2023-23919 is a cryptographic vulnerability in certain Node.js versions that can lead to false positive errors and cause a DoS if exploited. It is crucial to update your Node.js installation to a version that includes the security patch to protect your applications against potential attacks.

Timeline

Published on: 02/23/2023 20:15:00 UTC
Last modified on: 03/16/2023 16:15:00 UTC