Listen to this Post
The vulnerability in node-forge’s `asn1.derToOid` function stems from using JavaScript’s 32-bit bitwise left-shift operator (<<) to decode Object Identifier (OID) components from ASN.1 data. This operator silently truncates numbers larger than 32 bits, causing integer overflow. An attacker can craft a malicious X.509 certificate with an OID containing an arc value exceeding 2^32 – 1. When processed, this large integer overflows and wraps, resulting in a truncated value that matches a trusted, standard OID. This allows the forged certificate to bypass security checks that rely on OID verification, such as certificate pinning or policy validation, by impersonating a trusted certificate authority or possessing a privileged extension.
Platform: Node.js
Version: <=1.3.1
Vulnerability: OID Spoofing
Severity: Critical
date: 2022-03-18
Prediction: Patch 2022-03-25
What Undercode Say:
`npm list node-forge`
`grep -r “derToOid” node_modules/`
`const forge = require(‘node-forge’); const asn1 = forge.asn1; const oid = asn1.derToOid(maliciousDerBuffer);`
How Exploit:
Craft malicious certificate with oversized OID arc. Encode in ASN.1 DER format. Submit to vulnerable application for parsing. Trigger OID-based security check bypass.
Protection from this CVE
Upgrade to [email protected]. Implement certificate pinning. Validate OIDs before processing. Use linters to detect bitwise operators.
Impact:
Bypass of certificate trust. Integrity compromise. Potential full system access. Affects any application using node-forge for certificate validation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
