oss-sec mailing list archives
[no-cve] Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection
From: Martin Ortner <martin.ortner () consensys net>
Date: Fri, 5 Feb 2021 10:42:28 +0100
title: "Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection" date: 2021-02-04T14:13:23+01:00 cve: vendor: nim-lang vendorUrl: https://nim-lang.org/ authors: tintinweb affectedVersions: [ "<= 1.2.6", "nimble <=v0.12.0"] vulnClass: CWE-295, CWE-78, CWE-348 Vulnerability Note: https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ Vulnerability Note: https://github.com/tintinweb/pub/ Group: https://consensys.net/diligence/research/ # Vulnerability Note ## Summary We found a couple of critical security issues in the defaults for one of the standard-lib components that allows peer-impersonation (MitM) on secure transports. This also affects the languages package manager. Additionally, the package manager is vulnerable to shell command injection when fetching remote repositories before installing packages: * 2.1 - `httpClient` does no validate peer certificates by default (appears to be fixed in 1.4.x) * 2.2 - the package manager `nimble` relies on the insecure `httpClient` defaults (unfixed; latest 0.12.0 has not been re-compiled with a fixed nim-c) * 2.3 - `nimble` falls back to insecure transports if `https` is blocked (unfixed) * 2.4 - `nimble` shell command injection when fetching a package for installation (unfixed) **TLDR;** The Nim (`at least <=1.2.6`) `httpClient` default SSL/TLS configuration does not enforce peer certificate verification by default. Non-secure settings should not be the default as this might unexpectedly expose other projects to security risks. If you're using `nimble <= 0.12.0` anyone can block your TLS session and it will fall back to an insecure transport. Because of the insecure `httpClient` defaults, one can also just intercept your TLS session as the peer verification is too lax. Additionally, nimble appears to be vulnerable to a direct shell command injection when installing a package (but one can as well just provide a malicious package). ## Details see https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ ## Proof of Concept see https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ ### Timeline ``` JUL/09/2020 - contact nim developers @telegram; provided details, PoC FEB/04/2021 - deadline met. full disclosure. ```
Current thread:
- [no-cve] Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection Martin Ortner (Feb 05)