fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

GitHub Finds 7 Code Execution Vulnerabilities in ‘tar’ and npm CLI

GitHub Finds 7 Code Execution Vulnerabilities in ‘tar’ and npm CLI

GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI.

The tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.

The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages.

Bug bounty hunters awarded $14,500 for ZIP slips

Between July and August this year, security researchers and bug bounty hunters Robert Chen and Philip Papurt identified arbitrary code execution vulnerabilities in the open-source Node.js packages, tar and @npmcli/arborist.

On discovery of these vulnerabilities, the researchers privately notified npm via one of GitHub’s bug bounty programs.

On further review of the researchers’ reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.

Also Read: IT Governance Framework PDF Best Practices And Guidelines

Node.js package tar remains a core dependency for installers that need to unpack npm packages post-installation. The package is also used by thousands of other open source projects, and as such receives roughly 20 million downloads every week. The arborist package is a core dependency relied on by npm CLI and is used to manage node_modules trees.

These ZIP slip vulnerabilities pose a problem for developers installing untrusted npm packages using the npm CLI, or using “tar” to extract untrusted packages.

By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools.

The tools extracting these archives should ideally ensure any malicious paths within the archive don’t end up overwriting existing files, especially the sensitive ones, on the filesystem.

But, because of the vulnerabilities listed below, the npm package when extracted could overwrite arbitrary files with the privileges of the user running the npm install command:

  1. CVE-2021-32803
  2. CVE-2021-32804
  3. CVE-2021-37701
  4. CVE-2021-37712
  5. CVE-2021-37713
  6. CVE-2021-39134
  7. CVE-2021-39135

“CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install,” explains Mike Hanley, Chief Security Officer at GitHub.

“Some of these issues may result in arbitrary code execution, even if you are using –ignore-scripts to prevent the processing of package lifecycle scripts.”

GitHub Security team thanked both Chen and Papurt for their responsible disclosure and awarded them a total bounty of $14,500 for their efforts in keeping GitHub secure.

Also Read: Steps On How To Create Complain About Telemarketing Calls

npm urging users to fix vulnerabilities

npm, owned by GitHub, is also prompting developers to fix these vulnerabilities ASAP in a tweet:

action recommended: following newly discovered vulnerabilities in `tar` and `@npmcli/arborist`, we recommend upgrading to the latest versions of @nodejs 12 / 14 / 16 or npm 6 / 7 as well as updating any dependencies you may have on `tar`. read more: https://t.co/t4WaVwJ0mx— npm (@npmjs) September 8, 2021

Developers should upgrade their tar dependency versions to 4.4.19, 5.0.11, or 6.1.10, and upgrade @npmcli/arborist version 2.8.2 to patch the vulnerabilities.

For npm CLI, versions v6.14.15v7.21.0, or newer contain the fix. Additionally, Node.js version 12, 14, or 16 come with the fixed tar version and can be safely upgraded to, according to GitHub.

Complete details related to these vulnerabilities are available in GitHub’s detailed blog post.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us