Users of Parse Server, a popular API server module for Node/Express, are being urged to immediately apply a fix for a remote code execution (RCE) vulnerability.
Discovered by security researchers Mikhail Shcherbakov, Cristian-Alexandru Staicu, and Musard Balliu, the vulnerability impacts the parse-server NPM package, versions below 4.10.7.
In a security advisory published on GitHub, on March 11, the team said the RCE vulnerability was discovered in a default configuration with MongoDB and has been confirmed in Ubuntu and Windows versions of the software.
Prototype pollution
The root cause of the security problem in play is prototype pollution.
Prototype pollution occurs when attackers abuse the rules of the JavaScript programming language to compromise an application – opening the door to exploits including remote code execution, various forms of cross-site scripting (XSS) attacks, SQL injections, and more.
Parse Server is open source backend software for servers and systems that run Node.js. It can run both independently or with other web application frameworks including MongoDB and PostgreSQL.
According to the researchers, code in parse-server NPM’s DatabaseController.js function was the source of the vulnerability.
Shcherbakov and Staicu said that as the security flaw was found in the database function, it will “likely affect Postgres and any other database backend as well”.
Speaking to The Daily Swig, Shcherbakov said the vulnerable code was not specific to particular database modules and, in theory, “should be reachable with any database backend”.
“However, the exploitation requires a gadget to get arbitrary code execution and some kind of a race condition to execute the gadget in the required order,” Shcherbakov explained. “I found the gadget and the race condition in MongoDB modules to demonstrate the exploit. I did not try to use another database, but it is likely possible.”
Imperfect 10
Tracked as CVE-2022-24760, the RCE bug is awaiting a formal CVSS score from NIST, but GitHub – a CVE Numbering Authority (CNA) – has given the vulnerability a base score of 10 – the highest severity possible.
Parse Server 4.10.7 includes a patch for CVE-2022-24760. Part of the fix includes a scanner for sensitive keywords to safeguard against prototype pollution attacks.
Users are advised to upgrade to at least v.4.10.7 of Parse Server.
One possible workaround, short of applying the recommended update, involves patching the MongoDB Node.js driver and disabling BSON code execution.
The most recent build available is 5.0.0, which also bundles new and improved file upload security controls.
The Daily Swig has reached out to the project with additional queries. We will update this story as and when we hear back from Parse Server’s developers.
Source: https://portswigger.net/daily-swig/node-js-security-parse-server-remote-code-execution-vulnerability-resolved
