Parse Server has been updated to address a prototype pollution vulnerability that could result in remote code execution (RCE).
According to a GitHub security advisory posted on November 8, an attacker could potentially trigger RCE by utilizing the flaw (CVE-2022-39396) in the MongoDB BSON [Binary JSON] parser.
Push notification support for iOS, macOS, Android, and tvOS is provided by the well-known Node.js API server module Parse Server.
We know the bug is similar to another prototype pollution-to-RCE issue they disclosed earlier in the year, even though the security researchers involved are withholding technical details to give developers time to apply patches. The vulnerability, which became public in March 2022, had the highest severity rating of CVSS 10, the most serious.
Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig, “I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication.” So, if you have Parse Server, my advice is to patch it as soon as possible.
Versions 4.10.18 and 5.3.1 of the NPM parse-server package have the bug fixed.
The changes stop the MongoDB database adapter’s prototype pollution. Users can safeguard themselves in the interim by disabling RCE through the MongoDB BSON parser if updates cannot be applied right away.
A study project by Shcherbakov, Musard Balliu, a KTH colleague, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany led to the discovery of the issue.
The three looked into the potential for RCE attacks to result from prototype pollution flaws in Node.js systems.
According to Shcherbakov, “identification of prototype pollution is a tough task. But while still feasible, the exploitation that shows a high effect of vulnerabilities is more challenging in practice.
The researchers’ findings, also include Rocket.Chat and NPM CLI for Node.js, are included in a white paper (PDF). They have an oral presentation of their research scheduled for USENIX Security ’23.
In order to find “end-to-end exploits beyond DoS in full-fledged Node.js applications,” the researchers set out to develop “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detecting universal gadgets”.
The Trend Micro Zero Day Initiative (ZDI) blog will eventually post technical information about the Parse Server RCE.
Also, read Discord Desktop – Remote Code Execution
Other important security flaws in Parse Server fixed this year include a high-severity authentication bypass affecting Apple Game Center and a problem that allowed for brute-force guessing of sensitive user data.