9 Million Times Downloaded JsonWebToken Flaw Let Attackers Execute Remote Code

During the course of investigating the popular open-source project JsonWebToken, Unit 42 researchers discovered a new vulnerability.

The cybersecurity analysts tracked the flaw as CVE-2022-23529 and this flaw has been rated as high severity with a CVSS score of 7.6.

An attacker could exploit this vulnerability to obtain RCE by migrating a maliciously crafted JWT request to a server that verifies the request.

There are over 22,000 open-source projects using the JsonWebToken library on NPM which is maintained by Auth0 and has been downloaded over 36 million times in the last month alone.

In short, the package achieves on average more than 9 million downloads on a weekly basis.

Apart from this security analysts have strongly recommended users who are using the JsonWebToken package version 8.5.1 or an earlier version immediately update their JsonWebToken package version to 9.0.0.

Since this latest version includes the security patch that addresses this security flaw.

Several giant companies have used the library in their open-source projects, including:-

• Microsoft
• Twilio
• Salesforce
• Intuit
• Box
• IBM
• Docusign
• Slack
• SAP

JSON Authentication Process

JSON web tokens are used as a simple authentication method, and let’s have look at it:-

• It is necessary for a user to enter credentials, such as a username and password, in order to access a protected resource.
• There will be an authentication request sent to the authentication endpoint containing this information.
• Validation is carried out by an authentication server, which creates a JWT signed with a secret key based on the information provided in the request. With the use of a secret manager, this information can either be stored on a server or at another location.
• Every time a user requests an authorization header, a JWT will be included as part of it. By doing this, users who have the correct permissions can access the resources that are protected on the network.
• The application generates a JWT request containing the user’s password when a request is made for access to a protected resource.
• The secret key used in the authorization header will be used to verify the JWT sent in the authorization header before the user is allowed access to the requested resource.

JWT Secret Poisoning

When maliciously crafted JWS tokens are used, threat actors are able to execute code on servers remotely.

As a result of this vulnerability, JsonWebToken’s verify() method allows this to be performed with no authentication, and it returns the decoded information to the user. 

There are three parameters that are accepted by this method, and they are as follows:-

• The token
• The secretOrPublicKey
• Options

It is possible for an attacker to use a specially crafted object, which can perform arbitrary file writes on the target machine because the ‘secretOrPublicKey’ parameter does not have a check to determine if it contains a string or a buffer.

With the same flaw, Unit42 reported that if the payload on the request was slightly different, it would be practical for remote code execution to take place in the same way.

It is not easy to exploit this vulnerability, but given the number of potential targets, threat actors are eager to exploit it and we should not underestimate their eagerness to do so. 

In this context, system administrators should take the necessary steps to ensure that the security update is applied as soon as possible.

Network Security Checklist – Download Free E-Book