Critical Flaws Allowing Domain Hijacking Assaults Patched By Node.js Developers


A vulnerability in Node.js that would permit a remote actor to carry out domain hijacking assaults has been patched. Last week, the developers of the Node.js, a JavaScript runtime environment published a security advisory to warn customers of a potential cyber-attack and to upgrade to the latest version to safeguard their devices against a series of flaws.

The first flaw tracked as CVE-2021-3672/CVE-2021-2293 was a result of improper handling of untypical characters in domain names, which created a doorway to remote code execution (RCE), or cross-site scripting (XSS) exploits. 

The flaw which has been classified in a high-risk category by security researchers also caused application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library. 

A second vulnerability (CVE-2021-22939) is the incomplete validation of “rejectUnauthorized” parameter. However, it falls into a low-risk category. 

The third and final flaw (CVE-2021-22930) which could permit an attacker to abuse memory corruption to change process behavior was included as a follow-up fix after previous mitigations did not completely patch the issue.

Security researchers published the security advisory on the same day that a research paper (PDF) related to this topic was published. Researchers Philipp Jeitner and Haya Shulman demonstrated in the research, titled ‘Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS’ “a new method to launch string injection attacks by encoding malicious payloads into DNS records”. 

Earlier this year, the developers of systeminformation, a popular Node.js package, patched a critical flaw that left applications susceptible to command injection assaults. Systeminformation offers dozens of functions for retrieving detailed hardware, system, and operating system information from servers hosting Node.js applications. The library has more than 850,000 weekly downloads on NPM, the main online repository for the Node.js package 

The vulnerability was caused by a special case of improper parameter checking and array sanitation, Hildebrandt, the maintainer of the Systeminformation, stated. 

“If the input was not sanitized and users had the possibility to pass a JavaScript array as a parameter to the given functions, this could lead to executing malicious code like [a denial of service] DoS on the machine where systeminformation is running,” he further added.