CVE-2023-42810 - Systeminformation Library SSID Command Injection Vulnerability in Node.JS Versions 5.. through 5.21.6

The popular Node.JS library "systeminformation" has been discovered to have a serious security vulnerability. The vulnerability is classified under the Common Vulnerabilities and Exposures (CVE) ID: CVE-2023-42810. This vulnerability affects the library versions 5.. through 5.21.6. In this post, we will discuss the vulnerability in detail, along with code snippets, original references, and exploit details.

Systeminformation Library and Vulnerability

"systeminformation" is a well-known system information library for Node.JS. It is widely used by developers to gather detailed information about the underlying system, such as hardware details, operating system details, CPU, memory, disk, and network information.

The identified vulnerability is an SSID Command Injection vulnerability that resides in the wifiConnections() and wifiNetworks() functions. These functions are used to gather information about nearby WiFi connections and networks, and can be exploited if an attacker is able to inject a malicious parameter within the SSID (service set identifier). The problem was addressed and fixed in version 5.21.7 of the library where a parameter check was introduced to mitigate the risk.

Below is a simple code snippet that demonstrates how this vulnerability can be exploited

const si = require('systeminformation');

// Malicious SSID containing an injected command
const maliciousSSID = '"; echo "Injection Successful';

// A vulnerable call to the wifiConnections() function
si.wifiConnections(maliciousSSID)
  .then(data => console.log(data))
  .catch(error => console.log(error));

// Similarly, a vulnerable call to the wifiNetworks() function
si.wifiNetworks(maliciousSSID)
  .then(data => console.log(data))
  .catch(error => console.log(error));

In this example, the attacker has included an additional command within the maliciousSSID variable. When this variable is passed to the wifiConnections() or wifiNetworks() functions, the injected command (echo "Injection Successful) gets executed on the system.

Original References

1. NPM Advisory Page
2. GitHub Issue
3. GitHub Commit Fixing the Issue

Exploit Details

The exploit can be used by an attacker to execute arbitrary commands on the target system. In our example code snippet, the attacker injects a simple echo command, but a potential attacker can run more sophisticated malicious commands, potentially gaining complete control over a compromised system.

Workaround

For those who cannot immediately update to version 5.21.7, which contains the fix, a recommended workaround is to check or sanitize the parameter strings passed to the wifiConnections() and wifiNetworks() functions.

Conclusion

It is crucial for developers to be aware of the security vulnerabilities that may exist in their dependencies, such as the case with the systeminformation library. By understanding these vulnerabilities and updating to patched versions, developers can reduce the risk of potential security breaches.

In the case of CVE-2023-42810, it is strongly recommended to update the "systeminformation" library to version 5.21.7 or later. If this is not possible, implementing the recommended workaround mentioned above can help in mitigating the risks associated with this vulnerability.

Timeline

Published on: 09/21/2023 18:15:12 UTC
Last modified on: 09/23/2023 03:38:14 UTC