Auth0 fixed a remote code execution vulnerability in the hugely popular open-source “JsonWebToken” library, used by over 22,000 projects and downloaded over 36 million times per month on NPM.
The library is used in open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP and many others.
The vulnerability is tracked CVE-2022-23529 and impacts JsonWebToken versions below 9.0.0, released on December 21, just before the holidays.
The JsonWebToken project is an open source library used to create, sign and verify JSON web tokens.
“JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. This information can be verified and approved because it is digitally signed,” explains Auth0’s jwt.io to place.
The project is developed and maintained by Okta Auth0 and has more than 9 million weekly downloads on the NPM package repository and over 22,000 projects on the library, reflecting its massive adoption.
Successful exploitation of CVE-2022-23529 could allow attackers to bypass authentication mechanisms, access confidential information, and steal or alter data.
However, Unit 42 warns that threat actors should first compromise the secrets management process between an application and a JsonWebToken server, making it more difficult to exploit and lowering the severity level to 7.6. /10.
Secret poisoning JWT
The CVE-2022-23529 vulnerability was discovered by Palo Alto Networks’ Unit 42 on July 13, 2022, and was immediately reported to Auth0.
Researchers found that hackers could execute code remotely on servers using JsonWebToken after verifying a maliciously crafted JWS token.
The flaw that allows this is in JsonWebToken’s check() method, which is used to verify a JWT and return the decoded information. This method accepts three parameters – token, secretOrPublicKey and options.
However, due to the lack of checking of the ‘secretOrPublicKey’ parameter to determine if it is a string or a buffer, attackers can send a specially crafted object to perform an arbitrary file write to the target machine.
Using the same default but a slightly different payload on the request, Unit42 reports that it would be practically possible to execute code remotely.
This vulnerability is classified as “high severity” (CVSS 3.1 score: 7.6) and not critical because it is complicated to exploit because threat actors can only exploit it as part of the secrets management process.
“You are only affected if you allow untrusted entities to modify the key recovery setting of jwt.verify() on a host you control,” reads the security advisory on GitHub.
The Auth0 team confirmed that they were working on a solution in August 2022, and finally, on December 21, 2022, a fix was released with JsonWebToken version 9.0.0.
The fix includes implementing additional checks for the secretOrPublicKey parameter, preventing it from scanning for malicious objects.
Due to the fact that JsonWebToken is such a widely used open source library, the flaw has a huge supply chain implicationsand it will continue to be for an extended period until most projects are upgraded to a secure version.
Although the flaw is difficult to exploit, the willingness of threat actors to abuse it cannot be underestimated given the number of potential targets. Applying the available security update should therefore be a priority for all system administrators.