CVE-2024-21892 - Node.js Insecure Environment Variable Ignoring and Unprivileged Code Injection on Linux with CAP_NET_BIND_SERVICE

CVE-2024-21892 refers to a recently discovered vulnerability in Node.js that affects Linux systems running processes with elevated privileges using CAP_NET_BIND_SERVICE. This vulnerability allows unprivileged users to inject code that, when executed, will inherit the elevated privileges of the process. In this post, we will examine the specific details of the vulnerability, provide sample code snippets to demonstrate its exploitation, and link to original references for further reading on the topic.

Vulnerability Details

When Node.js runs on the Linux operating system, it has certain measures in place to ignore specific environment variables that may have been set by unprivileged users. The basis for this security measure is to prevent code injection attacks that leverage environment variables to introduce malicious code into a process running with elevated privileges.

However, the implementation of this security feature has a bug associated with the handling of the CAP_NET_BIND_SERVICE capability on Linux. CAP_NET_BIND_SERVICE allows a process to bind to privileged network ports (typically those below 1024) without the need for running the process as the root user.

The bug causes Node.js to apply this exception even when certain other capabilities have been set, not just CAP_NET_BIND_SERVICE. As a result, unprivileged users can exploit this flawed implementation to inject code that runs with the process's elevated privileges.

The code snippet below demonstrates a simple example of this vulnerability in action

// server.js
const http = require('http');
const port = 80;

http.createServer((req, res) => {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('Hello World\n');
}).listen(port, () => {
  console.log(Server running at http://localhost:${port}/);
});

When the above Node.js script is executed with CAP_NET_BIND_SERVICE enabled (not as root), any environment variables manipulated by an unprivileged user will be ignored as expected. However, if another capability is enabled as well (such as CAP_DAC_OVERRIDE), the server will be vulnerable to code injection attacks.

An unprivileged user may execute the following exploit to inject a malicious script within the environment variables, which will then inherit the elevated privileges of the Node.js server process:

export NODE_OPTIONS="--require /path/to/malicious/script.js"

For more information, you can refer to the following primary sources

1. Node.js Security Advisory - An official advisory by the Node.js team detailing the vulnerability and potential impacts.
2. CVE-2024-21892 - NVD - National Institute of Standards and Technology (NIST) National Vulnerability Database entry for CVE-2024-21892.
3. Node.js GitHub Issue - The original issue (discussion) thread on Node.js GitHub repository that led to the discovery and resolution of CVE-2024-21892.

Conclusion

The discovery of CVE-2024-21892 results in a critical security concern for Node.js applications running on Linux with the CAP_NET_BIND_SERVICE capability and additional capabilities enabled. Developers and system administrators should review any such deployment configurations and apply necessary patches or updates to address this vulnerability, ensuring that their systems remain secure from potential code injection attacks.

Timeline

Published on: 02/20/2024 02:15:50 UTC
Last modified on: 02/20/2024 19:50:53 UTC