Docker Security scan (week 43)

[teddytpc1]

Description

The vulnerabilities list for Wazuh Docker images must be updated.

[gecube]

Hi! Guys, it is not enough to use docker hub security check, as well as trivy and other solutions. I found a so-called protestware in wazuh official docker image:

docker run --rm -it --entrypoint /bin/bash docker.io/wazuh/wazuh-dashboard@sha256:73cd153b2d533c4b7c4a52bb6411a8bbd03eaeb95f692da61e6953e4555c1526

and then

wazuh-dashboard@3e16c3935b77:~$ cat /usr/share/wazuh-dashboard/plugins/wazuh/node_modules/es5-ext/_postinstall.js
#!/usr/bin/env node

// Broadcasts "Call for peace" message when package is installed in Russia, otherwise no-op

"use strict";

try {
	if (
		[
			"Asia/Anadyr", "Asia/Barnaul", "Asia/Chita", "Asia/Irkutsk", "Asia/Kamchatka",
			"Asia/Khandyga", "Asia/Krasnoyarsk", "Asia/Magadan", "Asia/Novokuznetsk",
			"Asia/Novosibirsk", "Asia/Omsk", "Asia/Sakhalin", "Asia/Srednekolymsk", "Asia/Tomsk",
			"Asia/Ust-Nera", "Asia/Vladivostok", "Asia/Yakutsk", "Asia/Yekaterinburg",
			"Europe/Astrakhan", "Europe/Kaliningrad", "Europe/Kirov", "Europe/Moscow",
			"Europe/Samara", "Europe/Saratov", "Europe/Simferopol", "Europe/Ulyanovsk",
			"Europe/Volgograd", "W-SU"
		].indexOf(new Intl.DateTimeFormat().resolvedOptions().timeZone) === -1
	) {
		return;
	}

	var bold = function (msg) { return "\x1b[97m\x1b[1m" + msg + "\x1b[22m\x1b[37m"; };

	var flags = function () {
		return (
			"🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦" +
			"  🇷🇺  🇺🇦  🇷🇺  🇺🇦  🇷🇺  🇺🇦"
		);
	};

	process._rawDebug(
		[
			"", flags(), "",
			"\x1b[37m24 февраля " +
				bold("Россия напала на Украину") +
				", что уже стало причиной " +
				bold("15000+ жертв среди российских военных") +
				" и примерно " +
				bold("10000+ - среди украинских") +
				", а также " +
				bold("5000+ убитых граждан, в том числе 300+ детей") +
				".",
			"",
			"Народ Украины всеобще мобилизован и готов защищать свою страну от вражеского" +
				" вторжения. " +
				bold(
					"91% украинцев полностью поддерживает своего президента Владимира Зеленского"
				) +
				" и его ответные действия на нападение России.",
			"",
			"Весь мир осудил необоснованное вторжение и решил ввести " +
				bold("невиданные ранее санкции против России") +
				". С каждым новым днем они будут ощущаться все сильнее и сильнее среди мирных" +
				" граждан.",
			"",
			"В то же время, " +
				bold("российское правительство ограничивает доступ граждан к внешней информации") +
				", насаждая однобокие формулировки и версии происходящего.",
			"", "В качестве надежного источника информации загрузите безопасный браузер Tor:", "",
			bold(
				"https://forum.torproject.net/t/tor-blocked-in-russia-how-to-circumvent-censorship/982"
			),
			"", "И посетите:", "",
			bold(
				"https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion/russian"
			),
			bold("https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/ru/"),
			"", flags(), ""
		].join("\n")
	);
} catch (error) {
	// ignore
}

I am very disappointed and very nervous as security solutions is equipped with such a random code from internet. Also could you give some ideas on this topic?

[gecube]

The same issue with:

• wazuh/wazuh-dashboard:4.5.4

But wazuh/wazuh-dashboard:4.6.0-rc2 looks like "clean" one

[Desvelao]

Hi, I was reviewing this and I found the es5-ext dependency is under the dependency tree of pdfmake, which is a direct dependency of the Wazuh plugin.

I checked the latest released tag v4.6.0-2.8.0 from wazuh-dashboard-plugins repository:

node@osd:~/kbn/plugins/wazuh$ yarn why es5-ext
yarn why v1.22.19
warning Skipping preferred cache folder "/home/node/.cache/yarn" because it is not writable.
warning Selected the next writable cache folder in the list, will be "/tmp/.yarn-cache-1000".
[1/4] Why do we have the module "es5-ext"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-set" depends on it
   - Hoisted from "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-set#es5-ext"
   - Hoisted from "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-map#es5-ext"
   - Hoisted from "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-map#es6-iterator#es5-ext"
   - Hoisted from "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-map#d#es5-ext"
   - Hoisted from "pdfmake#@foliojs-fork#linebreak#brfs#static-module#scope-analyzer#es6-set#event-emitter#es5-ext"
info Disk size without dependencies: "2.21MB"
info Disk size with unique dependencies: "2.48MB"
info Disk size with transitive dependencies: "6.38MB"
info Number of shared dependencies: 5

package.json of the Wazuh plugin: https://github.com/wazuh/wazuh-dashboard-plugins/blob/v4.6.0-2.8.0/plugins/main/package.json. There, the pdfmake is required in the 0.2.7 version.

For this plugin version (v4.6.0-2.8.0), the installed version of es5-ext package is 0.10.62.

For the other hand, I checked the latest wazuh-dashboard Docker image 4.6.0, and this contains the mentioned reference in #1084 (comment)

[gecube]

@Desvelao Hi! Thanks for the assistance! So is it correct to say that wazuh/wazuh-dashboard:4.6.0 is vulnerable?

[gecube]

I checked, and the answer is "yes". Very pity :-(

[Desvelao]

Hi @gecube , according to my findings medikoo/es5-ext#197, it seems the message only appears when installing the es5-ext dependency in a specific timezone, this means for development, not production. The inclusion of a post-install script could cause the package flagged as risky in some security tools.

The related GitHub repository has more issues with the mentioned message if you want to know more about this topic: https://github.com/medikoo/es5-ext/issues?page=1&q=is%3Aissue+is%3Aclosed .

As I said in my previous message, from my research the Wazuh dashboard 4.6.0 Docker image seems to contain the post-install script of es5-ext dependency. That message should not appear in production.

Thank you very much for letting us know about this.

[gecube]

@Desvelao Hi! I understand that this message is kinda of dead code that would not run in production. But it is present in target artifact, i.e. docker image, so effectively meaning that there is a way how it could be executed. O.k. I believe that it would be never invoked, but it would be difficult to explain this fact to different security officers, so from my opinion the best option to ask Wazuh team to provide cleaned up version of artifact and improve detection of threat during build process.

[pyToshka]

Hi, below results for docker image wazuh/wazuh-dashboard:4.6.0

Cerberus Vulnerability Scan Results (Node.js), node: cerberus-a2446f64-00db-bf58-cdc8-3f72e9d0ae9b

title	vuln_id	severity	cvss_score	library	vuln_version	fixed_version
arbitrary code execution	CVE-2023-45133	CRITICAL	8.8	@babel/traverse	7.17.3	7.23.2, 8.0.0-alpha.4
arbitrary code execution	CVE-2023-45133	CRITICAL	8.8	@babel/traverse	7.21.2	7.23.2, 8.0.0-alpha.4
PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard	CVE-2023-46233	CRITICAL	9.1	crypto-js	4.1.1	4.2.0

[pyToshka]

docker image wazuh/wazuh-indexer:4.6.0

Cerberus Vulnerability Scan Results, node: cerberus-a2446f64-00db-bf58-cdc8-3f72e9d0ae9b

title	vuln_id	severity	cvss_score	library	vulnerable_version	fixed_version
Reachable Assertion	CVE-2023-1428	HIGH	7.5	io.grpc:grpc-protobuf	1.52.1	1.53.0
sensitive information disclosure	CVE-2023-32731	HIGH	7.5	io.grpc:grpc-protobuf	1.52.1	1.53.0
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack	GHSA-xpw8-rcwv-8f8p	HIGH		io.netty:netty-codec-http2	4.1.91.Final	4.1.100.Final
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack	GHSA-xpw8-rcwv-8f8p	HIGH		io.netty:netty-codec-http2	4.1.91.Final	4.1.100.Final
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013
Unchecked chunk length leads to DoS	CVE-2023-34455	HIGH	7.5	org.xerial.snappy:snappy-java	1.1.8.4	1.1.10.1
Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact	CVE-2023-43642	HIGH	7.5	org.xerial.snappy:snappy-java	1.1.8.4	1.1.10.4

[gdiazlo]

@gecube the protest ware file will probably disappear in Wazuh 4.9.0. This file is a transitive dependency. The component which uses it will be removed.

@pyToshka we also user automated scanners on our artifacts. We're aware of the vulnerabilities you reported. I've compiled the relevant information in the same tables you posted.

Because we use a fork of opensearch to implement indexer and dashboard, we do not publish those vulnerabilities as or own, instead, we work with opensearch to fix them for the whole community.

Of course, there are can be vulnerabilities in our code. Take a look at our SECURITY.md documentation to know how to report them, and how Wazuh will manage them.

Dashboard

title	vuln_id	severity	cvss_score	library	vuln_version	fixed_version	issue	Wazuh
arbitrary code execution	CVE-2023-45133	CRITICAL	8.8	@babel/traverse	7.17.3	7.23.2, 8.0.0-alpha.4	opensearch-project/OpenSearch-Dashboards#5303	Fix planned for Wazuh 4.9.0
arbitrary code execution	CVE-2023-45133	CRITICAL	8.8	@babel/traverse	7.21.2	7.23.2, 8.0.0-alpha.4	opensearch-project/OpenSearch-Dashboards#5303	Fix planned for Wazuh 4.9.0
PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard	CVE-2023-46233	CRITICAL	9.1	crypto-js	4.1.1	4.2.0	wazuh/wazuh-dashboard-plugins#6063	Fix planned for Wazuh 4.8.0

Indexer

title	vuln_id	severity	cvss_score	library	vulnerable_version	fixed_version	issue	Wazuh
Reachable Assertion	CVE-2023-1428	HIGH	7.5	io.grpc:grpc-protobuf	1.52.1	1.53.0	-	This is for the c++ version. Indexer uses the java implementation. The java implementation will also be updated in next releases in upstream.
sensitive information disclosure	CVE-2023-32731	HIGH	7.5	io.grpc:grpc-protobuf	1.52.1	1.53.0	-	This is affected in http2 scenarios, not used in indexer. Update is planned for next releases in upstream.
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack	GHSA-xpw8-rcwv-8f8p	HIGH		io.netty:netty-codec-http2	4.1.91.Final	4.1.100.Final	-	This is affected in http2 scenarios, not used in indexer. Update is planned for next releases in upstream.
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack	GHSA-xpw8-rcwv-8f8p	HIGH		io.netty:netty-codec-http2	4.1.91.Final	4.1.100.Final	-	This is affected in http2 scenarios, not used in indexer. Update is planned for next releases in upstream.
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013	opensearch-project/sql#2303	Fix planned for Wazuh 4.9
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013	opensearch-project/sql#2303	Fix planned for Wazuh 4.9
JSON-java: parser confusion leads to OOM	CVE-2023-5072	HIGH	7.5	org.json:json	20230227	20231013	opensearch-project/sql#2303	Fix planned for Wazuh 4.9
Unchecked chunk length leads to DoS	CVE-2023-34455	HIGH	7.5	org.xerial.snappy:snappy-java	1.1.8.4	1.1.10.1	opensearch-project/security#2884	Fix appeared in Wazuh 4.6.0
Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact	CVE-2023-43642	HIGH	7.5	org.xerial.snappy:snappy-java	1.1.8.4	1.1.10.4	opensearch-project/security#3438	Fix planned for Wazuh 4.9

I'll close this issue as there will be no fixes associated with it. To follow the discussion I propose to move this to any of our community channels.