A critical security vulnerability has been discovered in the widely-used Node.js package “systeminformation,” potentially exposing millions of systems to remote code execution (RCE) attacks.
The flaw, identified as CVE-2024-56334, affects versions up to and including 5.23.6 of the package, which has over 8 million monthly downloads and a staggering 330 million total downloads.
The vulnerability stems from a command injection flaw within the getWindowsIEEE8021x function, which retrieves network SSID information.
This function fails to properly sanitize the SSID before passing it as a parameter to cmd.exe. As a result, an attacker could embed malicious commands within the SSID of a Wi-Fi network, which would then be executed on a vulnerable system when the getWindowsIEEE8021x function is called.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Depending on how the package is used, this vulnerability could enable attackers to perform remote code execution or local privilege escalation. The exploitation appears to be relatively straightforward, requiring only local access to approach the attack.
A proof of concept (PoC) demonstrates two potential attack scenarios:
- Running a ping command indefinitely by setting the SSID to:
a" | ping /t 127.0.0.1 &
- Executing an arbitrary executable with elevated privileges by setting the SSID to:
a" | %SystemDrive%aa.exe &
Once connected to a maliciously crafted Wi-Fi network, simply calling the vulnerable function (e.g., si.networkInterfaces()
) would trigger the execution of the embedded command.
The maintainers of “systeminformation” have addressed this issue in version 5.23.7. All users of this package are strongly urged to update to the latest version immediately.
For developers unable to upgrade, a workaround involves manually sanitizing parameters passed to specific functions, including. si.inetLatency()
, si.inetChecksite()
, si.services()
, and si.processLoad()
.
This vulnerability highlights the ongoing security challenges in the npm ecosystem and the potential risks associated with widely-used packages. It serves as a reminder for developers to:
- Regularly update dependencies and monitor security advisories
- Implement proper input sanitization, especially when dealing with system-level commands
- Conduct thorough security audits of third-party packages used in their projects
The discovery of CVE-2024-56334 in the “systeminformation” package underscores the critical importance of maintaining vigilance in software security, particularly for widely adopted open-source libraries.
As the Node.js ecosystem continues to grow, it’s crucial for both developers and organizations to prioritize security practices and stay informed about potential vulnerabilities that could impact their systems.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free