Bug 2105422 (CVE-2022-32212) - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
Summary: CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32212
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2108518 2108519 2108520 2108056 2108057 2108058 2108059 2108060 2108521 2108522 2108523 2108524 2108525 2108526 2109533 2109576 2109577 2109578 2121021
Blocks: 2105423
TreeView+ depends on / blocked
 
Reported: 2022-07-08 18:41 UTC by Sage McTaggart
Modified: 2022-11-30 07:28 UTC (History)
9 users (show)

Fixed In Version: nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance, 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server. This issue provides a vector for an attacker-controlled DNS server or a Man-in-the-middle attack (MITM) who can spoof DNS responses to perform a rebinding attack and then connect to the WebSocket debugger allowing for arbitrary code execution on the target system.
Clone Of:
Environment:
Last Closed: 2022-11-30 07:28:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6389 0 None None None 2022-09-08 07:42:35 UTC
Red Hat Product Errata RHSA-2022:6448 0 None None None 2022-09-13 09:44:11 UTC
Red Hat Product Errata RHSA-2022:6449 0 None None None 2022-09-13 09:44:46 UTC
Red Hat Product Errata RHSA-2022:6595 0 None None None 2022-09-20 12:24:24 UTC
Red Hat Product Errata RHSA-2022:6985 0 None None None 2022-10-18 08:17:51 UTC

Description Sage McTaggart 2022-07-08 18:41:48 UTC
CVE-2022-32212

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

More details will be available at CVE-2022-32212 after publication.

Thank you to Axel Chong for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

Comment 3 TEJ RATHI 2022-07-19 08:20:28 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108518]
Affects: fedora-all [bug 2108521]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108522]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108519]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108523]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108524]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108520]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108525]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108526]

Comment 5 errata-xmlrpc 2022-09-08 07:42:33 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389

Comment 6 errata-xmlrpc 2022-09-13 09:44:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448

Comment 7 errata-xmlrpc 2022-09-13 09:44:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449

Comment 8 errata-xmlrpc 2022-09-20 12:24:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 10 errata-xmlrpc 2022-10-18 08:17:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985

Comment 13 Product Security DevOps Team 2022-11-30 07:28:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32212


Note You need to log in before you can comment on or make changes to this bug.