spfx – How to upgrade dependency packages which have vulnerabilities

In our company we use veracode to scan our code and this tool give us a summary report at the end with the vulnerabilities found on our source code or dependencies.

I have created a new SPFx webpart, empty! just the basic hello world, and even then the tool found one vulnerability.

Component: validator
Version: 8.2.0
Regular Expression Denial Of Service (ReDoS): validator is vulnerable to regular expression denial of service (ReDoS) attacks. A malicious user can pass a long URI to the isDataURI() function to cause a ReDoS attack.
Link: https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-7078/summary

When checking the dependency tree I found this:

├─┬ @microsoft/sp-build-web@1.12.1
│ └─┬ @microsoft/sp-build-core-tasks@1.12.1
│   └─┬ azure-storage@2.10.4
│     └── validator@9.4.1
└─┬ @microsoft/sp-module-interfaces@1.12.1
  └─┬ z-schema@3.18.4
    └── validator@8.2.0

If I understand correctly, I cant upgrade it myself because it may break the sp-module-interfaces.

Is there something I can do to update this package?

Report Reveals cPanel/WHM Suffers “Multiple Vulnerabilities”

cPanelSecurity research firm Fortbridge has released a report claiming to have discovered “multiple vulnerabilities in cPanel/WHM”.

The report states:

“Our team has found multiple vulnerabilities in cPanel/WHM during a black-box pentest, the most important one being a privilege escalation via stored XSS. Whilst disclosing these bugs to the cPanel/WHM team, we discovered the pentested cPanel account was a reseller account with the permission to edit locales, thus this is not a default setting. The XSS vulnerability which we will present is considered a feature, and it was not fixed. We will show how this “feature” can be abused to escalate privileges to root, together with the rest of our findings.”

The report is quite detailed and shows in-depth the path they take to conduct the attack.

So what do you think – is this indeed a “feature” or is it a genuine bug?  cPanel has disputed the severity of this issue.

raindog308

I’m Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

known vulnerabilities – Handling indirect vulnerable 3rd party dependencies

The first thing to do is figure out if you’re vulnerable to the vulnerability. Based on how you use the dependencies, you may not be vulnerable. Any of the dependencies along the way may also not use the dependency in such a way that exposes the vulnerability or have other mitigations in place. If this is the case, you may not have to do anything.

If you are vulnerable, determine if there’s something you can do. Can you provide mitigations in code that you control? If not, can you make a contribution to the downstream libraries to upgrade them, or at least raise an issue to ensure the maintainers know about the vulnerability that has been patched so they can update their dependencies?

The existence of a vulnerability in and of itself may not be that meaningful. It should trigger a deeper investigation to understand the risks, impacts, and potential actions to mitigate the threat (if a threat exists).

vulnerability – What does Snowden mean by “majority of vulnerabilities … are introduced, for technical reasons …, at the exact time the code is written”?

In a recent Substack article (“The Insecurity Industry”, 2021-07-26) Edward Snowden states:

The vast majority of vulnerabilities that are later discovered and exploited by the Insecurity Industry are introduced, for technical reasons related to how a computer keeps track of what it’s supposed to be doing, at the exact time the code is written, which makes choosing a safer language a crucial protection… and yet it’s one that few ever undertake.

I’m trying to make sense of the sentence in the context of memory safety, but I don’t quite get the bold part. What is meant by asserting that most vulnerabilities later exploited are introduced specifically “at the exact time the code is written” and how is that “for technical reasons related to how a computer keeps track of what it’s supposed to be doing“? Does the “exact time the code is written” refer to the lack of memory safety guarantees at compile-time?

updates – debsecan still retrieves +800 packages impacted by vulnerabilities on up-to-date bullseye system

I have a completely up-to-date debian bullseye system. However, debsecan tool running on it retrieve more than 800 vulnerable packages.

Does it mean that all of these packages are vulnerable and even if my Debian system is totally up-to-date, i am still at risk ?

encryption – What are my vulnerabilities with this multi-user ACL database approach?

I would like some expert insight. I want to know what my vulnerabilities for this model are.

This is a demo project that I will be following in my production app if all works out securely. My production app will include hybrid encryption for ALL user sensitive data. Nothing sensitive will ever be stored on the server unencrypted. I know I loose query capabilities but thats not the intention of this post. I solely and only want to know the vulnerabilities (if any) of this model below + hybrid encryption. I’m using Parse & Back4App.

My main concern (possibly paranoia) is unauthorized access causing data corruption. So, using ACLs in this way plus encryption…

This simple method below is, given authorization, users share their user ID via the server and store it locally so to add it to any new ACL permissions for newly created objects or CRUD actions. I hope this helps better explain what I’m trying to do.

The final question:

  • Is this way of using ACLs vulnerable and if so how?
import 'dart:io';
import 'package:hive/hive.dart';
import 'package:parse_server_sdk/parse_server_sdk.dart';
import 'package:service_acl/user_service.dart';

Future<void> main(List<String> arguments) async {
  Hive.init('hive_database');
  await Parse().initialize(
    'DorTmGgGi8QKgEperLDZb3Prin85ViMTvXCt4rdp',
    'https://parseapi.back4app.com',
    clientKey: 'PmT1WWtSYJYnhCBeVxcC2mtBUhWA53cvlgmUsgI4',
    debug: false,
    autoSendSessionId: true,
  );

  ///
  ///
  /// To reset Hive databases
  // var box001 = await Hive.openBox<String>('user_001_group_ids');
  // await box001.clear();

  // var box004 = await Hive.openBox<String>('user_004_group_ids');
  // await box004.clear();

  ///
  ///
  /// To setup application with users and user groups with ACLs
  // await UserService().createAllUsers();

  // sleep(Duration(seconds: 1));

  // await UserService().createUser001Group();
  // await UserService().createUser004Group();

  // sleep(Duration(seconds: 1));

  // await UserService().saveUser001GroupData();
  // await UserService().saveUser004GroupData();

  ///
  ///
  /// To test authorized and unauthorized access
  await UserService().authorizedAccess();
  await UserService().unauthorizedAccess();
}
import 'dart:io';
import 'package:hive/hive.dart';
import 'package:parse_server_sdk/parse_server_sdk.dart';

class UserService {
  static const String user001username = 'User001';
  static const String user001password = 'User001User';
  static const String user001email = 'user001@user001.com';

  static const String user002username = 'User002';
  static const String user002password = 'User002User';
  static const String user002email = 'user002@user002.com';

  static const String user003username = 'User003';
  static const String user003password = 'User003User';
  static const String user003email = 'user003@user003.com';

  static const String user004username = 'User004';
  static const String user004password = 'User004User';
  static const String user004email = 'user004@user004.com';

  static const String user005username = 'User005';
  static const String user005password = 'User005User';
  static const String user005email = 'user005@user005.com';

  static const String user001GroupIDsBox = 'user_001_group_ids';
  static const String user004GroupIDsBox = 'user_004_group_ids';

  List<String> user001GroupIDs = ();
  List<String> user004GroupIDs = ();

  List<ParseObject> user001GroupData = (
    ParseObject('Color')..set('color', 'blue')..set('darkness', 2)..set('lightness', 2),
    ParseObject('Color')..set('color', 'yellow')..set('darkness', 5)..set('lightness', 1),
    ParseObject('Color')..set('color', 'red')..set('darkness', 1)..set('lightness', 5),
    ParseObject('Color')..set('color', 'green')..set('darkness', 3)..set('lightness', 3),
  );

  List<ParseObject> user004GroupData = (
    ParseObject('Color')..set('color', 'brown')..set('darkness', 5)..set('lightness', 4),
    ParseObject('Color')..set('color', 'pink')..set('darkness', 3)..set('lightness', 5),
    ParseObject('Color')..set('color', 'purple')..set('darkness', 2)..set('lightness', 4),
    ParseObject('Color')..set('color', 'orange')..set('darkness', 4)..set('lightness', 1),
  );

  ///
  ///
  /// Creates all users on Parse server
  Future<void> createAllUsers() async {
    final ParseUser user001 = ParseUser.createUser(user001username, user001password, user001email);
    ParseResponse creationRequest001 = await user001.signUp();
    (creationRequest001.success)
        ? print('User 001 created successfully')
        : print(creationRequest001.error!.message);

    final ParseUser user002 = ParseUser.createUser(user002username, user002password, user002email);
    ParseResponse creationRequest002 = await user002.signUp();
    (creationRequest002.success)
        ? print('User 002 created successfully')
        : print(creationRequest002.error!.message);

    final ParseUser user003 = ParseUser.createUser(user003username, user003password, user003email);
    ParseResponse creationRequest003 = await user003.signUp();
    (creationRequest003.success)
        ? print('User 003 created successfully')
        : print(creationRequest003.error!.message);

    final ParseUser user004 = ParseUser.createUser(user004username, user004password, user004email);
    ParseResponse creationRequest004 = await user004.signUp();
    (creationRequest004.success)
        ? print('User 004 created successfully')
        : print(creationRequest004.error!.message);

    final ParseUser user005 = ParseUser.createUser(user005username, user005password, user005email);
    ParseResponse creationRequest005 = await user005.signUp();
    (creationRequest005.success)
        ? print('User 005 created successfully')
        : print(creationRequest005.error!.message);
  }

  ///
  ///
  /// Compiles list of authorized users to user001 group
  Future<void> createUser001Group() async {
    final user001 = ParseUser(user001username, user001password, user001email);
    final user001LoginAttempt = await user001.login();
    if (user001LoginAttempt.success) {
      print('User 001 login successful');
      var box = await Hive.openBox<String>(user001GroupIDsBox);
      await box.add(user001.objectId!);
      await user001.logout();
    }

    sleep(Duration(seconds: 1));
    final user002 = ParseUser(user002username, user002password, user002email);
    final user002LoginAttepmt = await user002.login();
    if (user002LoginAttepmt.success) {
      print('User 002 login successful');
      var box = await Hive.openBox<String>(user001GroupIDsBox);
      await box.add(user002.objectId!);
      await user002.logout();
    }

    sleep(Duration(seconds: 1));
    final user003 = ParseUser(user003username, user003password, user003email);
    final user003LoginAttempt = await user003.login();
    if (user003LoginAttempt.success) {
      print('User 003 login successful');
      var box = await Hive.openBox<String>(user001GroupIDsBox);
      await box.add(user003.objectId!);
      await user003.logout();
    }
  }

  ///
  ///
  /// Compiles list of authorized users to user004 group
  Future<void> createUser004Group() async {
    final user004 = ParseUser(user004username, user004password, user004email);
    final user004LoginAttempt = await user004.login();
    if (user004LoginAttempt.success) {
      print('User 004 login successful');
      var box = await Hive.openBox<String>(user004GroupIDsBox);
      await box.add(user004.objectId!);
      await user004.logout();
    }

    sleep(Duration(seconds: 1));
    final user005 = ParseUser(user005username, user005password, user005email);
    final user005LoginAttempt = await user005.login();
    if (user005LoginAttempt.success) {
      print('User 005 login successful');
      var box = await Hive.openBox<String>(user004GroupIDsBox);
      await box.add(user005.objectId!);
      await user005.logout();
    }
  }

  ///
  ///
  /// Save user001 data to server with group ACLs
  Future<void> saveUser001GroupData() async {
    final acls = ParseACL();
    var box = await Hive.openBox<String>(user001GroupIDsBox);
    user001GroupIDs = box.values.toList();

    for (final id in user001GroupIDs) {
      acls.setReadAccess(userId: id, allowed: true);
      acls.setWriteAccess(userId: id, allowed: true);
    }

    for (final color in user001GroupData) {
      color.setACL(acls);
      await color.save();
    }
  }

  ///
  ///
  /// Save user004 data to server with group ACLs
  Future<void> saveUser004GroupData() async {
    final acls = ParseACL();
    var box = await Hive.openBox<String>(user004GroupIDsBox);
    user004GroupIDs = box.values.toList();

    for (final id in user004GroupIDs) {
      acls.setReadAccess(userId: id, allowed: true);
      acls.setWriteAccess(userId: id, allowed: true);
    }

    for (final color in user004GroupData) {
      color.setACL(acls);
      await color.save();
    }
  }

  ///
  ///
  /// Test authorized access- user002 to access user001 group database
  Future<void> authorizedAccess() async {
    final user002 = ParseUser(user002username, user002password, user002email);
    final user002LoginAttepmt = await user002.login();
    if (user002LoginAttepmt.success) {
      print('User 002 login successful');

      QueryBuilder<ParseObject> colorQuery = QueryBuilder<ParseObject>(ParseObject('Color'));
      final ParseResponse response = await colorQuery.query();

      if (response.success && response.results != null) {
        print(response.results.toString());
      }
      await user002.logout();
      print('User 002 logged out successfully');
    }
  }

  ///
  ///
  /// Test unauthorized access- no login tolken
  Future<void> unauthorizedAccess() async {
      QueryBuilder<ParseObject> colorQuery = QueryBuilder<ParseObject>(ParseObject('Color'));
      final ParseResponse response = await colorQuery.query();

      if (response.success && response.results != null) {
        print(response.results.toString());
      } else {
        print('Error: ' + response.error!.message.toString());
      }
  }
}

vulnerability – Differentiating bugs from vulnerabilities and extracting vulnerabilities from GitHub issue reports

I am performing an empirical study on deep learning libraries and therefore have collected issue reports from these deep learning libraries on GitHub. PyTorch, Keras, Caffe,scikit-learn, ApacheMXNet, Tensorflow

I have used these keywords to extract the bug reports as I have found that these appear often in actual CVEs.

  1. Buffer overflow – stack overflow, heap overflow, buffer overflow
  2. Integer overflow – integer overflow, underflow
  3. Out of bounds access – OOB, out-of-bounds
  4. Segmentation fault – segfault, segmentation fault
  5. Denial of Service – DOS, crash (only one that works)
  6. Memory/Data corruption – memory corruption, data corruption
  7. Type confusion – type confusion
  8. Division by zero – divide by zero, division by zero
  9. Incomplete validation – validation , incomplete validation, invalid validation
  10. Null pointer dereference – null pointer, nullptr
  11. Data leak – data leak, memory leak
  12. Integer truncation – truncation

However, only Tensorflow has a detailed CVE database and the rest have no CVEs or vulnerability reports. I have been informed by my supervisor that I will need to draw a clear distinction between bugs and vulnerabilities and I have been asked to do some research on how to differentiate bugs from vulnerabilities and how to determine if a bug report is a vulnerability.

I would like to ask for help and advice on how to do so.

The ideas that I currently have to determine if a bug report is a vulnerability is

  1. See if the bug report is exploitable by people

  2. See if there are code fixes for the bug report – I have been advised to check if a bug report has a fix, it may be exploitable by people.

If you would like to see the dataset that I have, feel free to DM me.

If anyone has any advice, research papers, or ideas on how to differentiate bugs from vulnerabilities, please feel free!

windows – How are vulnerabilities like PrintNightmare CVE-2021-34527 discovered?

Regarding the newly discovered vulnerability PrintNightmare CVE-2021-34527 that has existed for years without being discovered, currently affecting almost all versions of Windows, server and workstation alike, and for which there is no patch as of the time of this writing July 3rd 2021, the best recommendation currently is to disable the print spooler until further notice.

My main question is, are vulnerabilities like that discovered through random fuzzing or careful testing/input crafting?

If we rewind to the moment the vulnerable piece of code was written back then, was it something that could have been caught by a more experienced programmer, or not and this is just an unfortunate complex interaction in a complex system?

Hypothetically, could a vulnerability like that been resolved much earlier by making the print spooler source code open source, without necessarily making all of the operating system’s source code open source? Would that outweigh the cost of the vulnerability that they have to deal with now for a proprietary source code company like Microsoft?

apt – Python3 vulnerabilities – Ask Ubuntu

Can anyone help me to understand difference between these two python outputs.

root@ip-10-30-20-21:~# apt install python3
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.6.7-1~18.04).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


root@ip-10-30-20-21:~# apt install python3.6
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3.6 is already the newest version (3.6.9-1~18.04ubuntu1.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@ip-10-30-20-21:~# python3 --version
Python 3.6.9

My problem is Python 3.6.9 has lot of security vulnerabilities such as CVE-2021-3177. As per https://ubuntu.com/security/cve-2021-3177 this vulnerability has been fixed in (3.6.9-1~18.04ubuntu1.4) and released.

OS servers are up2date with the latest Ubuntu patches. However, My VA tool still reporting the same vulnerabilities are still exists in these systems. Does anyone know why this is happening and any idea to overcome this?

I hope this is happening my because my default python3 version still shows Python 3.6.9 as in last command output. Can anyone advice on this?

Have there been remotely exploitable, zero-click, wormable vulnerabilities in popular Linux distros?

What I’m asking is if there have ever been any vulnerabilities of the following kind, especially recently, and if so how many or how common they have been.

The vulnerability:

  • Must be present in the OS/distro in its default configuration. For example, a vulnerability in Photoshop doesn’t count, because Photoshop isn’t installed by default in any OS that I know of.
  • Must be exploitable from the network (either from LAN or WAN, it doesn’t matter, all it matters is that no physical access should be required).
  • Must be a zero-click flaw, so user interaction should not be required at all. Not even triggered by social engineering: the OS should be able to be compromised just because it’s running and connected to a network, with nobody at the keyboard).
  • Must be in a relatively popular OS/distro, so "Rare Distro Linux" or "Temple OS" don’t count. I’m interested in Linux-based or Linux-related environments, but if you also have examples from other areas you can mention them for completeness (I think some WinXP release would qualify but I’m not sure).