CVE-2021-37713 : Security Advisory and Response
Learn about CVE-2021-37713, a critical security flaw in the npm package "tar" impacting Windows systems. Find out the impact, affected versions, and mitigation steps to protect your systems.
A Node.js package named "tar" (also known as node-tar) prior to versions 4.4.18, 5.0.10, and 6.1.9 was found to have a critical security vulnerability that could lead to arbitrary file creation/overwrite and arbitrary code execution on Windows systems.
Understanding CVE-2021-37713
This CVE highlights a serious issue in the npm package "tar" that affects users on Windows systems. The vulnerability allows malicious actors to potentially create or overwrite files with arbitrary content, leading to severe security risks.
What is CVE-2021-37713?
The npm package "tar" had a flaw in its path sanitization logic when working with tar files on Windows. Specifically, the issue arises when extracting tar files containing a path that is not an absolute path but specifies a different drive letter from the extraction target.
The Impact of CVE-2021-37713
The vulnerability poses a high risk to confidentiality, integrity, and the overall security of systems. Attackers can exploit this flaw to execute arbitrary code or manipulate files, potentially leading to unauthorized access or system compromise.
Technical Details of CVE-2021-37713
The vulnerability is classified as high severity with a CVSS base score of 8.2. It has a low attack complexity and vector, but requires user interaction. The affected versions include node-tar < 4.4.18, >= 5.0.0, < 5.0.10, and >= 6.0.0, < 6.1.9.
Vulnerability Description
The issue arises from inadequate path normalization procedures in node-tar on Windows systems, enabling attackers to create or overwrite files in unintended locations.
Affected Systems and Versions
Users of node-tar on Windows systems running versions prior to 4.4.18, 5.0.10, and 6.1.9 are at risk.
Exploitation Mechanism
By manipulating tar files with non-absolute paths and different drive letters, malicious actors can trick the path resolution logic of node-tar to create or overwrite files at unintended locations.
Mitigation and Prevention
To address CVE-2021-37713, immediate action is required to secure systems and prevent potential exploitation.
Immediate Steps to Take
Users are strongly advised to update node-tar to the latest patched versions - 4.4.18, 5.0.10, or 6.1.9. Discontinue the use of v3 branch, as it is deprecated and lacks fixes for these critical security issues.
Long-Term Security Practices
Implement stringent file handling policies and regular security updates to mitigate similar vulnerabilities in the future.
Patching and Updates
Regularly monitor for security advisories from the package maintainers and promptly apply patches to safeguard against known vulnerabilities.