Nexus Intelligence Insights: CVE-2018-16487 Lodash RCE + 'prototype' pollution

November 27, 2019 By Elisa Velarde

3 minute read time

Lodash is a very popular Javascript library used by developers worldwide to simplify and consolidate their code. Users of lodash are able to reap the benefits of more elegant code in less time by utilizing the robust lodash library. However, what was created as a helpful feature for most, lends itself to an attack vector for bad actors if it isn’t managed properly. 

Name of Vulnerability:  CVE-2018-16487 (as a result of an incomplete fix made for  CVE-2018-3721)

Type of Vulnerability: DoS, Remote code execution

Component Name: lodash (as present in npm)

Versions Affected: [4.17.5, 4.17.11)

Criticality: 

CVSS 3.0 Score: 9.8

CVSS 3.0 Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Advisory Deviation: The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.

Vulnerability Description:

The `lodash` package is vulnerable to Prototype Pollution. The `safeGet()` function in the `lodash.js` file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).

Attack Mechanics:

JavaScript,  being a prototyping language has a “__proto__” property associated with all objects inherently and “prototype” property inherent to all functions. Put simply, it is a functionality provided by the language for easily adding more properties and methods to exist object constructors. JavaScript prototyping attacks such as this one leverage this ‘design flaw’ by injecting incompatible types into existing objects to cause exceptions leading to Denial of Service (DoS). Typically, this happens because of the JavaScript engine parsing the unsafe recursive “merges” without reaching a terminating condition.

Here’s an example of how a typical attack might work: 

By invoking  `merge`, `mergeWith`, or `defaultsDeep` functions of lodash to process user-supplied JSON data, an attacker is able to cause an exception within  the application and hence Denial of Service (DoS). 

An attacker can craft a JavaScript object of form {constructor: {prototype: {...}}} and pass it to _.merge.

lodash hack cropped

This will lead to a crash,  resulting in a Denial of Service (DoS) attack and other unintended consequences like the ability for someone to remotely execute code. 

It is important to note (per developers in the HackerOne report) that the prototype in Object, Array, Function, Number, String, and Boolean are vulnerable as well. Just because one property is fixed, doesn’t mean the others aren’t vulnerable. Users are advised to pay particular attention to the remediation guidance for this attack vector. 

Remediation Recommendation:

Users are recommended to upgrade to version 4.17.11 of `lodash` which contains the fix.

If upgrading is not a viable option, some developers have chosen to protect against this vulnerability by replacing a property entirely (rather than recursively extending it) if the destination object doesn't have that property as its own. That would prevent traversing the built-in 'constructor' property, but wouldn't prevent users from using the name 'constructor' in other contexts.

lodash remediation cropped

DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Customers of Sonatype Nexus were notified of CVE-2018-16487 within hours of the discovery. Their development teams automatically received instructions on how to remediate the risk.

If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.

Visit the Nexus Intelligence Insights  page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.

 

Tags: vulnerabilities, remote code execution, featured, Nexus Intelligence Insights, lodash, cve-2018-16487

Written by Elisa Velarde

Elisa was a Senior Product Marketing Manager at Sonatype. She brought over 10 years of experience in sourcing, mentoring, and leading Marketing or full Agile product teams while maintaining a collaborative, cross-departmental approach to support company goals.