The well-known JsonWebToken (JWT) open-source encryption project has a high-severity vulnerability (CVE-2022-23529) that attackers might exploit to get remote code execution (RCE) on a target encryption server. The JWT open standard outlines a process for securely sending data by encrypting and signing JSON data.
The server verifies a maliciously constructed JSON web token request as a result of an exploit for the vulnerability, claim researchers from Palo Alto Networks’ Unit 42. According to Unit 42 security researcher Artur Oleyarsh, “running malicious code on a server could make large harm and loss of confidentiality, integrity, and it also may cause a denial of service.”
The attacking potential and the ramifications once the system is sensitive for a remote code execution are significant, as other systems connected to and communicating with the vulnerable server may also be affected. Everyone using JWT versions before and including v8.5.1 is at risk of the problem. The package’s patched version is v9.0.0, according to a posting from Unit 42 on January 9.
The Flaws In JSON Web Tokens
According to Oleyarsh, JSON Web token vulnerabilities are typically caused by various token forging strategies that let a hostile actor get around authentication and authorization controls. They can now “take over accounts, impersonate people, and increase privileges,” the author claims. However, “This most recent vulnerability is special for a number of reasons. First, we are discussing running code on a host to validate JSON web tokens.”
The flaw gives a cyber attacker access to a key retrieval measure of the “jwt.verify” function rather than circumventing authentication or authorization procedures (known as secretOrPublicKey). Unit 42 was able to overwrite the “toString()” method of the key object in a proof-of-concept hack.
According to Oleyarsh, the toString() method is inherited by any object in JavaScript that derives from the object.prototype class. Therefore, if the key object is under our control and there is a blindly trusted call to that method, we can replace its toString() with malicious code and run arbitrary code.
Growing Open Source Use And Cyberthreat Level
The interest of cyberattackers in leveraging software components and components like JWT as an attack vector rises along with the use of open-source software (OSS).
Threat actors are constantly searching for known vulnerabilities and quickly exploiting them, according to Oleyarsh. “I believe we will see an increase in assaults utilizing OSS security flaws if OSS security is not given the attention and awareness it needs.” He claims that security practitioners must collaborate and contribute as a community to make OSS software safer.
Some OSS developers and maintainers are creating solutions with security in mind, which entails:
- Regularly repairing security flaws,
- Checking for susceptible dependencies, and
- Maintain and publish security advisories so users can apply patches for the secure versions.
More and more resources have been made available to aid defense, identity and access management, and security operations center teams in identifying weak points. For instance, the December-released Google OSV-Scanner creates a list of needs in a software development project and searches the OSV database for known vulnerabilities.
According to Oleyarsh, “some are doing a tremendous job in coming up with wonderful and inventive solutions for a variety of problems and making it available for use by anyone without charge.” “Utilizing OSS package scanners to check for vulnerable versions of OSS lists you are using, as well as for susceptible dependencies, is a recommended practice if you are using OSS within your organization.”
Google is pushing the commercial sector to back the initiative while also lending its strong support to a planned US government-led regulatory framework targeted at bolstering security for open-source software.
From a manual standpoint, Oleyarsh continues, teams should regularly check the security advisories pages of the open source software (OSS) projects they use to stay abreast of bugs. To inform that process, they should also think about adding software composition analysis (SCA) tools to assist in tracking all the open-source codes and modules used by a project.
Following that, he advises, “it is a good habit alert the maintainers via a private chat and report the issue and even provide and discuss the fix.” “Whenever you find a flaw that affects security.“
Guidelines For Using JSON Web Tokens
Today, applications that exchange security information frequently employ JSON Web Tokens. However, they could be more foolproof and might let in intruders. Therefore, the following are five best practices you must adhere to when using JSON Web Tokens.
1. Select the Most Suitable Algorithm
Three components comprise a JSON Web Token: The Header, Payload, and Signature. The signing algorithm and the type of token are both specified in the header. Employ a strong key when choosing a signature algorithm if you use symmetric key algorithms because they are vulnerable to brute force attacks. The fact that the private key is only maintained on the server side to sign the token simplifies key custody in other ways thanks to asymmetric signing algorithms.
2. Constantly sign the token
Before sending the token, you must always sign it after choosing an acceptable algorithm. The encoded header, encoded payload, a secret, and the algorithm provided in the header are required to establish a JWT signature.
3. Utilize time-based claims.
Since JWT tokens cannot be invalidated, it is essential to provide a proper life duration for them. An ID or access token, for example, cannot be revoked because they are not connected to any particular session.
4. Determine the Issuer and the Audience
Another wise move is to specify the issuer and the recipients in JWTs. Token handling will be much simpler for the recipients if you use “iss” and “aud” claims for this.
5. Avoid using JWTs as session tokens
Since JWT for session validation avoids the need for database lookups, employing JWT for session tokens may initially seem like a wise choice. But in practice, JWT is a poor option for managing sessions.
JSonWeb Tokens is a trusted and simple method for two parties to exchange private information. However, you should be aware that employing the finest techniques and procedures designed for JWTs can help you maximize your security.
Conclusion
The open-source “jsonwebtoken” (JWT) library includes a high-severity security issue that, if exploited, might result in remote code execution on a target server. According to a study released on Monday by Palo Alto Networks Unit 42 researcher Artur Oleyarsh, “by exploiting this vulnerability, attackers might accomplish remote code execution (RCE) on a server confirming a maliciously constructed JSON web token (JWT) request.”
