Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2022-23529- High Severity (RCE) Remote Code Execution Vulnerability in JsonWebToken Library?
January 12, 2023
|
7m

How to Fix CVE-2022-23529- High Severity (RCE) Remote Code Execution Vulnerability in JsonWebToken Library?


How To Fix Cve 2022 23529 High Severity Rce Remote Code Execution Vulnerability In Jsonwebtoken Library

Artur Oleyarsh, a security researcher from Palo Alto Networks Unit 42 team, reported a high-severity remote code execution vulnerability in the JsonWebToken library. The vulnerability has been tracked under the identifier CVE-2022-23529 and is considered high severity since it has got a CVSS score of 7.6 out of 10 on the CVSS scale. The high-severity flaw allows adversaries to overwrite arbitrary files on the victim machine and carry out any action using a poisoned secret key. Simply exploiting the vulnerability would lead to remote code execution on a victim server. Considering its severity and exploitability abilities, we urge users of the JsonWebToken Library to fix the vulnerability as soon as possible. We published this post that let you know how to fix CVE-2022-23529, a remote code execution vulnerability in JsonWebToken Library.

Before we jump into the details of the vulnerability, it is required to know about the JsonWebToken Library, the structure of JWT tokens, and the authentication process. Let’s start exploring one after another.

A Short Note About the JsonWebToken Library

JsonWebToken is a widely used open-source JavaScript library for handling JSON Web Tokens (JWTs). The library provides a convenient way to securely store and send user authentication credentials across multiple services. It is based on the JSON Web Token (JWT) standard that enables secure authentication and authorization between two systems, such as an online application and a service provider. This library makes it easy to generate, sign, and encrypt tokens for authentication and allows for the integrated management of user claims.

The library is developed and maintained by Auth0 and written in JavaScript, and supports a variety of platforms, including Node.js and browser-based applications. It also provides a set of helpful APIs that allow developers to quickly and easily generate JWT tokens as needed. This makes it an ideal tool to verify and sign JWTs for quickly creating secure user authentication systems, as well as for integrating with other 3rd-party services.

JWT is a JSON object which consists of three parts, each separated by a dot(.). These three parts are:

  1. Header: This contains information about how the JWT is encoded. Typically it consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

  2. Payload: This contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: registered, public, and private claims.

  3. Signature: This is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way. The signature is created using the header and payload.

How Does a Typical JWT Look Like?

JWT format: HEADER.PAYLOAD.SIGNATURE

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

If you decode the above token, you will see the actual header, payload, and signature information.

Header: In this case is “HS256” is algorithm and “JWT” is type.

{  
"alg": "HS256",  
"typ": "JWT"
}

Payload: n this case, the user information.

{  
"sub": "1234567890",  
"name": "John Doe",  
"iat": 1516239022
}

Signature: It’s calculated by applying taking encoded header, payload and a secret key into this formula.

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The formula used to calculate the Signature of JWT.

HMACSHA256( 
  base64UrlEncode(header) + "." + 
  base64UrlEncode(payload), 
  secret_key 
)

Note: JWT is self-contained, meaning it carries all the information necessary to verify the token, so no additional calls to the database are needed.

The Role of JWT in Authentication Process

To know about the vulnerability, it is important to understand the role of JWT tokens in Authentication process. Let’s see the authentication process in bullet points.

Diagram of the process of authentication with JWT. (Source: Palo Alto)

  1. The user attempts to log in to the system by providing their credentials (such as a username and password) to the authentication endpoint.

  2. divyak

  3. If the credentials are valid, the authentication server generates a JWT, which contains claims about the user, and signs it with a secret key.

  4. The JWT is returned to the user and is typically stored in the user’s browser as a cookie or in a browser’s local storage.

  5. For each subsequent request, the user sends the JWT as part of the request, typically in the Authorization header.

  6. The resource server, upon receiving a request, verifies the authenticity of the JWT using the secret key and the information it contains, such as expiration date and the payload.

  7. Before the user is granted access to the requested resource, the JWT’s authenticity is verified using the secret key. This ensures that the token has not been tampered with and that the user has the appropriate permissions to access the requested information.

  8. If the JWT is verified, the user is granted access to the protected resource. If the token is failed to verify, the user is denied access and a 401 error message is returned, or If the JWT has expired, the user is required to log in again and get a new token.

IMP Note: if the secret keys are not stored securely, an attacker who can control the secret key will be able to execute code on a host verifying JWT and use that access to extract or change the sensitive data.

Summary of CVE-2022-23529

According to Artur Oleyarsh, who disclosed this flaw, “in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process. Thus, due to the complexity of this vulnerability, we suggested a CVSS score of 7.6”
– Artur Oleyarsh

This is a high-severity vulnerability in the JsonWebToken library. Attackers would abuse this vulnerability which further leads to overwriting arbitrary files on the victim’s machine and carrying out any action using a poisoned secret key. The actual vulnerability lies in the insecure input validation in jwt.verify function in JWT. This allows an attacker to exploit this flaw just by crafting a malicious JSON web token (JWT) request with the poisoned secret key.

The vulnerability tracked under the identifier CVE-2022-23529 is considered high severity since it has got a base score of 7.6 out of 10 on the CVSS scale. Please see the CWE vector details in the below table.

Associated CVE IDCVE-2022-23529
DescriptionA high severity Remote Code Execution Vulnerability in JsonWebToken Library
Associated ZDI ID
CVSS Score7.6 High
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Impact Score54.7
Exploitability Score2.8
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)Low
Integrity (I)High
availability (a)Low

How to Fix CVE-2022-23529- High Severity (RCE) Remote Code Execution Vulnerability in JsonWebToken

According to the technical details, the flaw affects all the versions below v9.0.0. In v9.0.0, proper input validation is implemented in the jwt.verify function. The moderators urge to migrate the JsonWebToken Library to 9.x version to fix the CVE-2022-23529 vulnerability.

Please refer to these migration notes to migrate the JsonWebToken library.

For more information, please refer: https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback

We hope this post would help you know how to fix CVE-2022-23529, a remote code execution vulnerability in JsonWebToken Library. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe