CVE-2023-39532
SES Dynamic Import Escalation vulnerability
Description
SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In version 0.18.0 prior to 0.18.7, 0.17.0 prior to 0.17.1, 0.16.0 prior to 0.16.1, 0.15.0 prior to 0.15.24, 0.14.0 prior to 0.14.5, an 0.13.0 prior to 0.13.5, there is a hole in the confinement of guest applications under SES that may manifest as either the ability to exfiltrate information or execute arbitrary code depending on the configuration and implementation of the surrounding host. Guest program running inside a Compartment with as few as no endowments can gain access to the surrounding host’s dynamic import by using dynamic import after the spread operator, like `{...import(arbitraryModuleSpecifier)}`. On the web or in web extensions, a Content-Security-Policy following ordinary best practices likely mitigates both the risk of exfiltration and execution of arbitrary code, at least limiting the modules that the attacker can import to those that are already part of the application. However, without a Content-Security-Policy, dynamic import can be used to issue HTTP requests for either communication through the URL or for the execution of code reachable from that origin. Within an XS worker, an attacker can use the host’s module system to the extent that the host has been configured. This typically only allows access to module code on the host’s file system and is of limited use to an attacker. Within Node.js, the attacker gains access to Node.js’s module system. Importing the powerful builtins is not useful except insofar as there are side-effects and tempered because dynamic import returns a promise. Spreading a promise into an object renders the promises useless. However, Node.js allows importing data URLs, so this is a clear path to arbitrary execution. Versions 0.18.7, 0.17.1, 0.16.1, 0.15.24, 0.14.5, and 0.13.5 contain a patch for this issue. Some workarounds are available. On the web, providing a suitably constrained Content-Security-Policy mitigates most of the threat. With XS, building a binary that lacks the ability to load modules at runtime mitigates the entirety of the threat. That will look like an implementation of `fxFindModule` in a file like `xsPlatform.c` that calls `fxRejectModuleFile`.
INFO
Published Date :
Aug. 8, 2023, 5:15 p.m.
Last Modified :
Nov. 21, 2024, 8:15 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-39532.
| URL | Resource |
|---|---|
| https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041 | Patch |
| https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r | Exploit Patch Vendor Advisory |
| https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041 | Patch |
| https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r | Exploit Patch Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-39532 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2023-39532 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041 Added Reference https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Aug. 15, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041 No Types Assigned https://github.com/endojs/endo/commit/fc90c6429604dc79ce8e3355e236ccce2bada041 Patch Changed Reference Type https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r No Types Assigned https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r Exploit, Patch, Vendor Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:a:agoric:ses:*:*:*:*:*:node.js:*:* versions from (including) 0.13.0 up to (excluding) 0.13.5 *cpe:2.3:a:agoric:ses:*:*:*:*:*:node.js:*:* versions from (including) 0.14.0 up to (excluding) 0.14.5 *cpe:2.3:a:agoric:ses:*:*:*:*:*:node.js:*:* versions from (including) 0.15.0 up to (excluding) 0.15.24 *cpe:2.3:a:agoric:ses:0.16.0:*:*:*:*:node.js:*:* *cpe:2.3:a:agoric:ses:0.17.0:*:*:*:*:node.js:*:* *cpe:2.3:a:agoric:ses:*:*:*:*:*:node.js:*:* versions from (including) 0.18.0 up to (excluding) 0.18.7
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-39532 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-39532
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
1.36 }} 0.91%
score
0.79250
percentile