Nexus Intelligence Insights: CVE-2018-16487 Lodash RCE + ‘prototype’ pollution

Lodash is a very popular Javascript library used by developers worldwide to simplify and consolidate their code. Users of lodash are able to reap the benefits of more elegant code in less time by utilizing the robust lodash library. However, what was created as a helpful feature for most, lends itself to an attack vector for bad actors if it isn’t managed properly. 

Name of Vulnerability:  CVE-2018-16487 (as a result of an incomplete fix made for  CVE-2018-3721)

Type of Vulnerability: DoS, Remote code execution

Component Name: lodash (as present in npm)

Versions Affected: [4.17.5, 4.17.11)

Criticality: 

CVSS 3.0 Score: 9.8

CVSS 3.0 Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Advisory Deviation: The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.

Vulnerability Description:

The `lodash` package is vulnerable to Prototype Pollution. The `safeGet()` function in the `lodash.js` file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).

Attack Mechanics:

JavaScript,  being a prototyping language has a “__proto__” property associated with all objects inherently and “prototype” property inherent to all functions. Put simply, it is a functionality provided by (Read more...)