{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/@evomap/evolver--1.70.0-beta.4/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver (\u003c= 1.70.0-beta.4)"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox-escape","npm","npx","supply-chain"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA vulnerability exists in the @evomap/evolver package, specifically affecting versions up to 1.70.0-beta.4. The flaw stems from the inclusion of \u003ccode\u003enpm\u003c/code\u003e and \u003ccode\u003enpx\u003c/code\u003e in the validator-mode sandbox executor\u0026rsquo;s allowlist. This oversight permits an attacker who compromises or intercepts communications with the Hub to achieve remote code execution (RCE) on every validator node. The issue arises because the \u003ccode\u003evalidation_commands\u003c/code\u003e strings fetched from the Hub are not subject to signature verification before being passed to the sandbox. The vulnerability has been present since validator mode was enabled by default in v1.69.0. Attackers can exploit this by injecting malicious commands through the Hub, leveraging \u003ccode\u003enpm\u003c/code\u003e and \u003ccode\u003enpx\u003c/code\u003e to execute arbitrary code via lifecycle scripts or remote package execution. This poses a significant risk to the integrity and security of validator nodes within the evolver network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe validator node POSTs a request to the Hub\u0026rsquo;s \u003ccode\u003e/a2a/fetch\u003c/code\u003e endpoint to retrieve \u003ccode\u003evalidation_tasks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Hub responds with a JSON payload containing a \u003ccode\u003evalidation_tasks\u003c/code\u003e array, including \u003ccode\u003etask.validation_commands\u003c/code\u003e strings, without signature verification.\u003c/li\u003e\n\u003cli\u003eThe validator extracts the \u003ccode\u003etask.validation_commands\u003c/code\u003e array (controlled by the attacker) and passes it to \u003ccode\u003erunInSandbox\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erunInSandbox\u003c/code\u003e processes each command in the array, checking against \u003ccode\u003eALLOWED_EXECUTABLES\u003c/code\u003e which includes \u003ccode\u003enpm\u003c/code\u003e and \u003ccode\u003enpx\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWhen \u003ccode\u003enpm\u003c/code\u003e or \u003ccode\u003enpx\u003c/code\u003e commands are present, they bypass \u003ccode\u003eassertNodeCommandSafe\u003c/code\u003e, which would normally block dangerous Node.js flags.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enpm\u003c/code\u003e command, such as \u003ccode\u003enpm install \u0026lt;malicious_package\u0026gt;\u003c/code\u003e, is executed, triggering the package\u0026rsquo;s \u003ccode\u003epreinstall\u003c/code\u003e, \u003ccode\u003einstall\u003c/code\u003e, and \u003ccode\u003epostinstall\u003c/code\u003e scripts. Alternatively, \u003ccode\u003enpx\u003c/code\u003e can be used to fetch and execute a remote package\u0026rsquo;s \u003ccode\u003ebin\u003c/code\u003e entry.\u003c/li\u003e\n\u003cli\u003eThese scripts execute arbitrary code within the validator process\u0026rsquo;s context, enabling the attacker to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe validator continues its normal operations, polling the Hub every 60 seconds, potentially re-triggering the exploit with updated malicious commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to arbitrary code execution as the evolver/validator process UID on every validator node that communicates with a compromised Hub, which occurs by default every 60 seconds. This can result in the exfiltration of sensitive credentials, including HUB_NODE_SECRET and A2A node identity. Furthermore, attackers can achieve persistence by writing to cron jobs, systemd units, or shell RC files and potentially pivot into the host\u0026rsquo;s container or VM. Due to the default-on validator mode since v1.69.0, the vulnerability is wormable across the network, as a single Hub compromise can auto-RCE every node. The compromised Hub can also lead to denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove \u003ccode\u003enpm\u003c/code\u003e and \u003ccode\u003enpx\u003c/code\u003e from the \u003ccode\u003eALLOWED_EXECUTABLES\u003c/code\u003e list in \u003ccode\u003esrc/gep/validator/sandboxExecutor.js\u003c/code\u003e as shown in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement signature verification for the Hub\u0026rsquo;s \u003ccode\u003e/a2a/fetch\u003c/code\u003e response to prevent MITM attacks, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect NPM Install from Unusual Processes\u0026rdquo; to identify potential exploitation attempts using \u003ccode\u003enpm install\u003c/code\u003e commands originating from unexpected parent processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect NPX Execution from Unusual Processes\u0026rdquo; to identify potential exploitation attempts using \u003ccode\u003enpx\u003c/code\u003e commands originating from unexpected parent processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-evomap-rce/","summary":"The validator-mode sandbox executor in @evomap/evolver versions 1.70.0-beta.4 and earlier places `npm` and `npx` in its executable allowlist, allowing arbitrary code execution because validator nodes consume unsigned Hub responses without signature checks, leading to remote code execution on every validator node via lifecycle scripts.","title":"Evomap Evolver Validator RCE via NPM/NPX in Sandbox Allowlist","url":"https://feed.craftedsignal.io/briefs/2024-01-evomap-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — @Evomap/Evolver (\u003c= 1.70.0-Beta.4)","version":"https://jsonfeed.org/version/1.1"}