Headline
CVE-2022-31020: Merge pull request from GHSA-r6v9-p59m-gj2p · hyperledger/indy-node@fe50747
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure auth_rules to prevent new DIDs from being written to the ledger until the network can be upgraded.
@@ -1,6 +1,8 @@ import pytest
from operator import itemgetter from indy_common.util import getIndex
from indy_common.util import compose_cmd
def test_getIndex(): items = [('a’, {’key1’: 1}), ('b’, {’key2’: 2})] @@ -12,3 +14,32 @@ def containsKey(key): assert 0 == getIndex(containsKey(‘key1’), items) assert 1 == getIndex(containsKey(‘key2’), items) assert -1 == getIndex(containsKey(‘key3’), items)
@pytest.mark.parametrize( 'pkg_name,package’, [ pytest.param('some_package’, ‘some_package’, id=’some_package’), pytest.param('package_1’, ‘package_1;echo "hi"&&echo "hello"\necho "hello world!"’, id=’strips mixed cmd concat’), pytest.param('package_3’, ‘package_3;echo "hey"’, id=’strips semi-colon cmd concat’), pytest.param('package_4’, ‘package_4&&echo "hey"’, id=’strips and cmd concat’), pytest.param(‘package_5’, ‘package_5\necho "hey"’, id=’strips Cr cmd concat’), ] ) def test_compose_cmd(pkg_name, package): expected_cmd = f’dpkg -s {pkg_name}’
cmd = compose_cmd([‘dpkg’, '-s’, package]) assert expected_cmd == cmd
def test_compose_cmd_allows_whitespace(): pkg_name = ‘package_7 some_other_package’ expected_cmd = f’dpkg -s {pkg_name}’ cmd = compose_cmd(['dpkg’, '-s’, pkg_name]) assert expected_cmd == cmd
def test_compose_cmd_allows_pipe(): expected_cmd = ‘dpkg --get-selections | grep -v deinstall | cut -f1’ cmd = compose_cmd( ['dpkg’, '–get-selections’, '|’, 'grep’, '-v’, 'deinstall’, '|’, ‘cut’, '-f1’] ) assert expected_cmd == cmd
Related news
### Impact The `pool-upgrade` request handler in Indy-Node `<=1.12.4` allows an improperly authenticated attacker to remotely execute code on nodes within the network. Network operators are strongly encouraged to upgrade to the latest Indy-Node release `>=1.12.5` as soon as possible. ### Patches The `pool-upgrade` request handler in Indy-Node `>=1.12.5` has been updated to properly authenticate `pool-upgrade` transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. ### Mitigations Network operators are strongly encouraged to upgrade to the latest Indy-Node release `>=1.12.5` as soon as possible. ### Acknowledgements Thank you to @shakreiner at CyberArk Labs for finding and responsibly disclosing this issue.