CVE-2023-30588: DoS Vulnerability in Node.js Crypto Library due to Invalid Public Key in x509 Certificates

A new vulnerability, CVE-2023-30588, has been identified in Node.js crypto library that could lead to Denial-of-Service (DoS) attacks. The issue arises when an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API, resulting in a non-expected termination. The severity of this vulnerability is high as the attacker could force interruptions in the application processing, causing a DoS scenario. All active Node.js versions v16, v18, and v20 are affected by this vulnerability.

Exploit Details

Typically, the x509 certificate is used to verify the identity of a server or client in secure network communications. When an invalid public key is provided to create an x509 certificate using the crypto.X509Certificate() API in Node.js, it leads to an unexpected termination. This termination can result in loss of the current user's context, consequently causing a DoS scenario.

Code Snippet

The following code snippet demonstrates how the vulnerability is triggered using the crypto.X509Certificate() API with an invalid public key in Node.js:

const crypto = require('crypto');
const fs = require('fs');

// Read an invalid public key from a file:
const invalidPublicKey = fs.readFileSync('path/to/invalid_public_key.pem', 'utf8');

// Create a new X509Certificate object using the invalid public key:
const x509Certificate = new crypto.X509Certificate(invalidPublicKey);

// Accessing public key info of the provided certificate:
const publicKeyInfo = x509Certificate.publicKey;

When executing this code, the process terminates unexpectedly due to the invalid public key.

Original References

The security vulnerability has been reported and documented on various platforms, including the official Node.js GitHub repository (https://github.com/nodejs/node/issues/) and the Node.js security vulnerability database (https://nodejs.org/en/vulnerabilities/).

How to Mitigate DoS Attacks

To protect your application from this DoS vulnerability, consider validating any provided public keys before using them to create x509 certificates. For example, using a reputable certification authority (CA) to sign public keys and refuse to accept self-signed certificates.

You can also apply rate limiting to prevent abusive attackers from repeatedly causing unexpected terminations due to invalid public keys.

Lastly, keep your Node.js version updated to the latest, stable release. The Node.js team is actively working on fixing this vulnerability, and they might release a security patch soon. So, always stay-up-to-date with Node.js releases.

Conclusion

CVE-2023-30588 is a critical vulnerability in Node.js that poses a high risk for Denial-of-Service attacks. The issue occurs when using an invalid public key to create an x509 certificate with the crypto.X509Certificate() API, causing an unexpected termination. By validating public keys before creating x509 certificates, applying rate limiting, and keeping your Node.js version up-to-date, you can protect your application against this vulnerability.

Timeline

Published on: 11/28/2023 20:15:07 UTC
Last modified on: 12/04/2023 17:40:31 UTC