On this week’s digest, we’ll focus on:

• lacking correct state, nonce, and PKCE checks for OAuth authentication;
• Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting; 
• ShadowsocksX-NG indicators with com.apple.safety.get-task-allow entitlements due to CODE_SIGNING_INJECT_BASE_ENTITLEMENTS; and
• an entry management problem in runc that enables an attacker to escalate privileges inside a container.

CVE-2023-27490: Lacking correct state, nonce, and PKCE checks for OAuth authentication

Background

OAuth (Open Authorization) is an open normal protocol that enables third-party purposes to entry assets on behalf of a consumer while not having to know the consumer’s credentials, akin to a username and password. OAuth works by enabling the consumer to grant entry to their assets by authenticating themselves with the useful resource proprietor (e.g. a social media platform) and acquiring an entry token, which is then used to entry the assets on behalf of the consumer. This entry token is issued by the useful resource proprietor and can be utilized by the third-party utility to entry the consumer’s assets while not having to know the consumer’s login credentials.

Vulnerability

The vulnerability CVE-2023-27490, exists within the Subsequent-auth bundle, which is said to the OAuth authentication movement. Particularly, it happens throughout an OAuth session when the authorization URL is intercepted and manipulated by an attacker. This vulnerability can enable the attacker to log in because the sufferer and bypass the CSRF safety that’s usually in place. Within the OAuth movement, the authorization URL is used to provoke the authentication course of and request entry to the consumer’s assets. The URL incorporates necessary parameters, such because the state, pkce, and nonce, that are used to forestall assaults akin to CSRF, replay assaults, and token theft. Nonetheless, if the authorization URL is intercepted and manipulated by an attacker, these protections will be bypassed, resulting in the vulnerability described within the Subsequent-auth bundle.

The basis explanation for the vulnerability is a partial failure that happens throughout a compromised OAuth session. Particularly, a session code is erroneously generated, which permits the attacker to bypass the CSRF safety and log in because the sufferer.

Mitigation

• The vulnerability has been addressed in next-auth model v4.20.1, upgrading to the most recent model is the really helpful technique to repair this problem.
• Nonetheless, by utilizing Superior Initialization, builders can manually test the callback request for state, pkce, and nonce towards the supplier configuration, and abort the sign-in course of if there’s a mismatch

CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting

Background

HTTP Request Smuggling is an internet utility vulnerability that happens when an attacker can manipulate the way in which that an utility or an internet server processes HTTP requests despatched by a shopper. This vulnerability can enable an attacker to bypass safety controls, carry out unauthorized actions, or steal delicate information.

The assault sometimes includes exploiting inconsistencies in how a front-end net server and a back-end server or utility deal with HTTP requests, such because the interpretation of Content material-Size headers or dealing with of chunked encoding. By manipulating these inconsistencies, an attacker can craft a request that’s interpreted otherwise by the 2 servers, leading to both the request being processed improperly or the front-end server performing as a proxy for the attacker to execute malicious requests on behalf of the attacker.

Vulnerability

The vulnerability CVE-2023-27522 impacts Apache HTTP Server variations 2.4.30 by way of 2.4.55, particularly by way of the mod_proxy_uwsgi module. The vulnerability happens when the origin server sends a specifically crafted HTTP response header that incorporates sure particular characters, akin to areas or tabs, adopted by a “Content material-Size” header.

The mod_proxy_uwsgi module in Apache HTTP Server can misread this header and ahead the response to the shopper with a truncated or cut up “Content material-Size” header. This will trigger the shopper to obtain incomplete or incorrect responses, doubtlessly permitting an attacker to carry out varied kinds of assaults, akin to information leakage, server-side request forgery (SSRF), cross-site scripting (XSS), and distant code execution (RCE).

Mitigation

• It’s endorsed to improve to the most recent model of Apache HTTP Server or apply any out there patches. 
• Moreover, net utility firewalls and intrusion detection methods can be utilized to detect and forestall HTTP response smuggling assaults. 
• It is usually necessary to make sure that correct enter validation and output encoding strategies are used to forestall the injection of particular characters in HTTP responses.

CVE-2023-27574: ShadowsocksX-NG indicators with com.apple.safety.get-task-allow 

Background

ShadowsocksX-NG is a free and open supply utility that helps customers bypass web censorship by making a safe socks5 proxy by way of which they will entry the web.

When an utility is developed and prepared for distribution, it must be signed with a sound certificates to make sure that it’s authentic and hasn’t been tampered with. This course of is named code signing.

One of many necessities for code signing is to incorporate entitlements, that are permissions that an utility must perform appropriately. Entitlements specify what assets and actions the applying is allowed to entry, such because the community, file system, or {hardware}.

Vulnerability

The vulnerability CVE-2023-27574 exists within the ShadowsocksX-NG model 1.10.0 utility which is signed with an entitlement known as com.apple.safety.get-task-allow. This entitlement permits the applying to be debugged and inspected by improvement instruments, akin to Xcode, even when it’s operating on a consumer’s gadget.

The rationale for together with this entitlement is because of a function known as CODE_SIGNING_INJECT_BASE_ENTITLEMENTS. This function is a part of the code signing course of, and it permits builders to incorporate further entitlements past these explicitly specified within the utility’s entitlements file.In different phrases, when the CODE_SIGNING_INJECT_BASE_ENTITLEMENTS function is enabled, Xcode will mechanically inject a set of default entitlements into the applying’s signature. These entitlements are primarily based on the developer’s account and the challenge setting. They embody the com.apple.safety.get-task-allow entitlement by default.

The issue with this strategy is that the com.apple.safety.get-task-allow entitlement will be abused by attackers to acquire delicate info from the applying’s reminiscence, akin to encryption keys or different delicate information. This could possibly be accomplished by exploiting a vulnerability within the utility or by utilizing a third-party software to learn the applying’s reminiscence.

Mitigation

• Customers of ShadowsocksX-NG model 1.10.0 are suggested to improve to a later model that doesn’t embody the com.apple.safety.get-task-allow entitlements or to take away the entitlements manually from the applying’s code signing signature.
• Moreover, customers must be cautious when utilizing VPN/proxy softwares and be sure that they’re utilizing a trusted and safe model of the software program.

CVE-2019-5736: Entry management problem in runc

Background

runc is a command-line utility for spawning and operating containers in accordance with the Open Container Initiative (OCI) specs. It’s generally utilized in container runtime environments akin to Docker, Kubernetes, and others.

Vulnerability

This vulnerability CVE-2019-5736 is an entry management problem that enables an attacker to escalate privileges inside a container. Particularly, the problem is said to the way in which the runc model by way of 1.1.4 handles the basis file system (rootfs) when launching a container.

In libcontainer/rootfs_linux.go, runc units up the rootfs of a container by mounting it as read-only after which overlaying a writable layer on high of it. This course of is used to create the container’s file system and isolate it from the host system.

Nonetheless, a flaw on this code permits an attacker to overwrite the host system’s /proc/self/exe file, which is a symbolic hyperlink to the runc binary itself. By doing so, the attacker can execute arbitrary code with elevated privileges, successfully escaping the container and gaining management of the host system.

Mitigation

• Improve to a patched model: Upgrading to a patched model of runc is the simplest mitigation for this vulnerability. runc variations 1.0.0-rc6 and later embody a repair for this vulnerability.
• Improve container runtimes: If you’re utilizing a container runtime surroundings akin to Docker or Kubernetes, be sure to improve to a model that features the patched runc model.
• Implement entry controls: To mitigate the danger of this vulnerability, entry controls must be applied to restrict the flexibility of attackers to spawn containers with customized volume-mount configurations and run customized photographs. 
• Decrease container privileges: Minimizing the privileges of containers can assist to restrict the scope of a possible assault. This may be achieved by operating containers as non-root customers, limiting container capabilities, and limiting entry to delicate host assets.