DNS rebinding in nodejs-current (Alpine package)

1) DNS rebinding

EUVDB-ID: #VU50955

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-22884

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DNS rebinding attack.

The vulnerability exists due to the application whitelist includes the “localhost6” name. When “localhost6” is not present in /etc/hosts, it is treated an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain.

Mitigation

Install update from vendor's website.

Vulnerable software versions

nodejs-current (Alpine package): 11.1.0-r0 - 15.9.0-r0

CPE2.3

• cpe:2.3:a:alpine:nodejs-current_alpine_package:11.1.0-r0:*:*:*:*:alpine_linux:*:3.8
• cpe:2.3:a:alpine:nodejs-current_alpine_package:11.3.0-r0:*:*:*:*:alpine_linux:*:3.9
• cpe:2.3:a:alpine:nodejs-current_alpine_package:11.9.0-r0:*:*:*:*:alpine_linux:*:3.9

External links

https://git.alpinelinux.org/aports/commit/?id=7a9647537833ec55d8ea0d947873965e175eda9d
https://git.alpinelinux.org/aports/commit/?id=b7f1df7d1931d59c3500ccfa15fc61c94c8a78f5
https://git.alpinelinux.org/aports/commit/?id=12e2d4bc3143ec726d2977843944b870ec72b671
https://git.alpinelinux.org/aports/commit/?id=8b10ecbd5f5904ce3ac3cdaa08a6e3736516b92b
https://git.alpinelinux.org/aports/commit/?id=5bcf64ec3dbba3e15d08fcd817a7173a8c631cca
https://git.alpinelinux.org/aports/commit/?id=90d22a24cc0fdbe8e7ce05109fbf3bf697f02021

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.