#nodejs

Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.

### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/pull/1120 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

### Impact A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other w...

The ABB Cylon FLXeon BACnet controller's /api/uukl.js module implements password verification and update mechanisms using the insecure MD5 hash function alongside weak salt generation via Math.random(). This constitutes a cryptographic vulnerability where password hashes are susceptible to collision and brute-force attacks due to MD5's known weaknesses and the low entropy of the salt. Specifically, in the verify() and change() functions, passwords are hashed using MD5 with predictable, non-cryptographically secure salts, then stored in plaintext-accessible files. This undermines the integrity of the authentication process, enabling attackers with file system access or knowledge of the implementation to precompute hash values or mount dictionary attacks.

The ABB Cylon FLXeon BACnet controller suffers from a configuration poisoning vulnerability in the put() function of bbmdList.js, where the writeFile() function is invoked to persist user-controlled data (req.body.bipList and req.body.natList) directly into sensitive configuration files (/etc/bdt.txt and /etc/bdt2.txt). This write operation lacks input validation and integrity checks allowing an attacker to supply crafted JSON payloads to inject or overwrite trusted BACnet BBMD entries. As these files are critical for network configuration, exploitation may result in unauthorized network redirection, denial of service, or insertion of rogue nodes into the system, thereby undermining the integrity and security of OT network communications.

The ABB Cylon FLXeon BACnet controller is vulnerable to a path traversal flaw in its capture.js endpoint due to unsanitized user input being directly concatenated into a filesystem path. An attacker can exploit this by supplying crafted file names to access arbitrary files outside the intended var/ directory. Additionally, the use of Fs.unlinkSync() after serving the file introduces a destructive impact, allowing attackers to delete system or application files.

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated file traversal via the /api/siteGuide endpoint. An attacker with valid credentials can manipulate the filename parameter to move and access or overwrite arbitrary files. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is not properly sanitized, allowing directory traversal attacks.

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/siteGuide endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the filename and/or originalname parameters. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime.