#nodejs

### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. ### Details The issue occurs at [line 39](https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts) of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows: ```js url = ((normalizedResponse.headers.link || "").match( /<([^>]+)>;\s*rel="next"/, ) || [])[1]; ``` The regular expression `/<([^>]+)>;\s*rel="next"/` may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted `Link` headers. ### PoC [The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/d3f2ad000be8384d2105c87c2ed7ce7d) 1. run npm i ...

### Summary By crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. ### Details The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62: ```ts headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]); ``` The regular expression `/[\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol. e.g., the attack string: ```js "" + "A".repeat(100000) + "-" ``` ### PoC [The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4) Here is the reproduction process for the vulnerability: 1. run 'npm i @octokit/endpoint' 2. Move `poc.js` to the root dir...

A vulnerability exists due to an insecure backup.tgz file that, when obtained, contains sensitive system files, including main.db, SSL/TLS certificates and keys, the system shadow file with hashed passwords, and the license key. Although authentication is required to access the backup, an attacker with access could extract these files to retrieve stored credentials, decrypt secure communications, and escalate privileges by cracking password hashes. This exposure poses a significant security risk, potentially leading to unauthorized access, data breaches, and full system compromise.

A timing attack vulnerability exists in ABB Cylon FLXeon's authentication process due to improper comparison of password hashes in login.js and uukl.js. Specifically, the verifyPassword() function in login.js and the verify() function in uukl.js both calculate the password hash and compare it to the stored hash. In these implementations, small differences in response times are introduced based on how much of the password or the username matches the stored hash, making the system vulnerable to timing-based analysis.

A vulnerability exists in the ABB Cylon FLXeon controller that allows unauthenticated access to the Building Management System (BMS) or Building Automation System (BAS) dashboard. This exposes sensitive information, including system status, events, and alarms related to HVAC operations. Additionally, an attacker could manipulate environmental controls such as temperature settings, potentially disrupting building climate regulation and operational safety.

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

An authenticated attacker can access sensitive information via the system logs page of ABB Cylon FLXeon controllers. The logs expose critical data, including the OpenSSL password for stored certificates. This information can be leveraged for further attacks, such as decrypting encrypted communications, impersonation, or gaining deeper system access.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE W700 Vulnerabilities: Double Free, Improper Restriction of Communication Channel to Intended Endpoints, Improper Resource Shutdown or Release, Inadequate Encryption Strength, Race Condition, Integer Overflow or Wraparound, Out-of-bounds Write, NULL Pointer Dereference, Externally Controlled Reference to a Resource in Another Sphere, Use After Free, Type Confusion, Improper Certificate Validation, Missing Release of Memory after Effective Lifetime, Uncontrolled Resource Consumption, Out-of-bounds Read, Inefficient Regular Expression Complexity, In...