Nexus Intelligence Insights: CVE-2018-1109-Braces Regular expression Denial of Service (ReDoS) attack

 

Summer is well underway and our Data Security Research team has been hard at work. Ax is back with us once again, after his video vacation last month. Welcome back, Ax. This month we will cover a Regular Expression vulnerability leading to Denial of Service (ReDoS).

What makes regex-based matching attractive to developers is its efficiency and ease of use when it comes to string matching and filtering operations. However, because regex makes multiple pathways possible for achieving the same outcome, even the slightest mistake in an expression opens up the potential for that particular expression to cause a security vulnerability.

ReDoS vulnerabilities commonly occur when the regular expression being used to evaluate a string doesn’t take into account the possibility of large sized inputs. In the event that the input string is enormously large, the regex matching engine may consume a large amount of CPU resources. If a skilled attacker can repeat this process several times, a DoS condition will occur on the target host, all because of a string matching operation taking up all available memory. 

Name of Vuln/Sonatype ID: CVE-2018-1109 aka SONATYPE-2018-0081

Type of Vulnerability: Denial of Service attack

Components Affected: npm braces: [2.2.0,2.3.1)

Vulnerability Description:

The `braces` component is vulnerable to a Regular expression Denial of Service (ReDoS) attack because the `multiplier` function in `parsers.js` contains a regular expression which isn’t optimized, processing user input. An attacker can craft and inject malicious input that will cause catastrophic backtracking in the regular expression engine by leveraging what the engine was designed to do – process all possibilities as it attempts to find a match. This extensive processing hangs the system within a matter of seconds.

Attack Mechanics:

Most regex engines behave in a very similar fashion by matching the first (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at: https://blog.sonatype.com/nexus-intelligence-insights-cve-2018-1109-braces-regular-expression-denial-of-service-redos-attack-0