Security Issue in msgpack

[colin-ife-snyk]

Hi,

A security issue was recently disclosed to us regarding msgpack. We have sent two emails to the main contributors of this repository but have received no replies.

Please get in touch as soon as you can, as we are likely to publish this advisory in the coming weeks if we do not hear back from you.

Best,
Snyk Security Team

[azu]

Is CVE-2021-23410 actual vulnerability?
https://snyk.io/vuln/SNYK-JS-MSGPACK-1296122

I've tested this PoC, but the PoC just run child_process.exec.

var assert = require('assert');
var msgpack = require('msgpack');
function sleep(ms) {
  return new Promise((resolve) => {
    setTimeout(resolve, ms);
  });
}
async function init() {
  var normal = { "a": 1, "b": 2, "c": [1, 2, 3] };
  var malicious = msgpack.pack({
    exploit: function () {
      // Note(by @azu): This Poc just run child_process.exec
      // It is not related to msgpack
      require('child_process').exec('echo code_executed!;sleep 3', function (error, stdout, stderr) {
        console.log(stdout)
      });
    }(),
  });
  var rce = msgpack.unpack(malicious);
  assert.deepEqual(rce, normal);
}

init();

PoC by Adi Malyanker

I think that it is not vulnerability of msgpack.
https://github.com/azu/msgpack-CVE-2021-23410-test

[gfx]

I agree with @azu. CVE-2021-23410 is not a vulnerability of this module.

I've requested the rejection of CVE-2021-23410 via https://cveform.mitre.org/ (description: https://gist.github.com/gfx/230010980c04415bb602afdfd5165ed8 )

FWIW I had received an email from Snyk with the almost same PoC for msgpack/msgpack-javascript (a.k.a. @msgpack/msgpack) (msgpack/msgpack-javascript#184). I've responded to the mail, explaining why PoC was invalid. Unfortunately, however, I have no reply for my explanation and the CVE has been issued. I suspect Snyk is not capable to verify a vulnerability on JavaScript program.

[colin-ife-snyk]

Hi @azu,

Thanks for your efforts in investigating this vulnerability. Unfortunately, this msgpack disclosure is indeed a false positive - the CVE will be revoked shortly and we apologise for any inconvenience caused.

As we do handle a large volume of disclosures from researchers, communicate with many maintainers, and generally verify them correctly, unfortunately, we occasionally make oversights like these. However, we'll aim to use this as a case study to improve our verification process further and to avoid future situations like these.

On @gfx's comment, yes we agreed with your view which was why there was never any advisory published for msgpack/msgpack-javascript - some how, we just never managed to send the email 🤦🏽‍♂️
You should have now received an email with our conclusion.

Feel free to reach out if you have any follow-ups to this.

Best,
Snyk Security Team

[gfx]

Hello, @colin-ife-snyk!

Thanks to rejecting CVE-2021-23410, but seemingly the CVE is still active in GitHub Advisory Database.

Would you mind investigating how to revoke the entry in GitHub Advisory Database? Thanks in advance.

[colin-ife-snyk]

Hello, @colin-ife-snyk!

Thanks to rejecting CVE-2021-23410, but seemingly the CVE is still active in GitHub Advisory Database.

Would you mind investigating how to revoke the entry in GitHub Advisory Database? Thanks in advance.

No problem @gfx

Contacted GitHub Support asking them to revoke the GitHub advisory and cc'ed yourself and @godsflaw

[gfx]

@colin-ife-snyk

Thank you very much! I appreciate it.