CVE-2024-21574 - Critical Remote Code Execution Vulnerability in CustomNode Extension due to Missing Validation of Pip Field in POST Request

A critical vulnerability, identified as CVE-2024-21574, has been discovered in a widely used CustomNode extension. The vulnerability stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint. The endpoint is used to install custom nodes and is added to the server by the extension. This missing validation allows an attacker to craft a request that triggers a pip install on a user-controlled package or URL, resulting in remote code execution (RCE) on the server.

In this long read, we will examine the details of the vulnerability, showcase a code snippet to demonstrate the issue, and provide links to the original references. Additionally, we'll also discuss ways to exploit the vulnerability and steps that developers or sysadmins can take to mitigate its impact.

Understanding the Vulnerability

The /customnode/install endpoint is meant to facilitate the installation of custom nodes in the system. However, it suffers from a lack of proper validation of the pip field in the POST request. An attacker can create a malicious package or URL and send a POST request containing it as the value of the pip field. If the server processes this request, it will cause the malicious code to be executed on the target system, resulting in full RCE.

Here's a simplified code snippet demonstrating the issue

# This is a sample code snippet that demonstrates the vulnerable endpoint
@app.route("/customnode/install", methods=["POST"])
def install_custom_node():
    pip_package = request.form.get("pip")  # Missing validation of the pip field
    os.system("pip install " + pip_package)  # Potentially executing a malicious pip package
    return jsonify({"message": "Custom node installed successfully"})

As illustrated in the snippet, the install_custom_node function directly takes the value of the pip field from the POST request and executes the pip install command. This lack of validation allows for the possibility of malicious packages being installed on the server, potentially resulting in RCE.

1. CVE-2024-21574: Official Details On Vulnerability Database (NIST.gov)
2. Example of Exploiting CVE-2024-21574 (SecurityResearcherBlog.com)

To exploit this vulnerability, an attacker may perform the following steps

1. Create a malicious package or obtain an existing one that contains arbitrary code for execution on the server.
2. Craft a POST request to the /customnode/install endpoint, including the malicious package or URL in the pip field.

If the server processes the request, the malicious code will be executed, resulting in RCE.

Note: The exploitation process may vary depending on the specific software environment and other factors.

Apply available security patches or updates that address this specific issue.

2. Disable or limit access to the /customnode/install endpoint if it is not necessary for system functionality.
3. Implement robust input validation for the pip field and other user-supplied fields in the POST request.
4. Configure system firewalls and security settings to monitor and block suspicious requests to the vulnerable endpoint.

Conclusion

In summary, CVE-2024-21574 is a critical remote code execution vulnerability that results from a missing validation of the pip field in a POST request sent to the CustomNode extension's /customnode/install endpoint. Exploiting this vulnerability could potentially grant attackers full control over the server. To mitigate the risks associated with this issue, it is crucial to apply security patches, limit access to the vulnerable endpoint, and implement proper input validation for user-supplied fields.

Timeline

Published on: 12/12/2024 09:15:06 UTC