Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] environment-sc-connection-service.js CVE-2023-46809 RSA_PKCS1_PADDING is no longer supported for private decryption #1250

Open
mrgum opened this issue Mar 7, 2024 · 3 comments
Open

[Bug] environment-sc-connection-service.js CVE-2023-46809 RSA_PKCS1_PADDING is no longer supported for private decryption #1250

mrgum opened this issue Mar 7, 2024 · 3 comments
Labels
bug Something isn't working Review One Review Two

Comments

@mrgum
Copy link
Contributor

mrgum commented Mar 7, 2024

Describe the bug
After redeploying a previously working SWB we can no longer get connections to rdp workspaces

To Reproduce
Steps to reproduce the behavior:

  1. Go to workspaces
  2. Click on 'Get Connection'
  3. See error bottom right red box 'we have a problem! something went wrong ;'

Expected behavior
Get connection to workspace

Versions (please complete the following information):

  • Release Version installed 6.2.0
  • Is the deployment from a forked version of the repository? yes but this code is not something we've changed

Additional context
Tracing through cloudwatch logs gives

2024-03-07T09:32:19.236+00:00
2024-03-07T09:32:19.236Z	uuid	INFO	
{
    "solutionName": "blah",
    "envType": "prod",
    "envName": "treprod",
    "logLevel": "info",
    "logEventType": "incomingRequest",
    "uid": "u-string",
    "authenticationProviderId": "https://cognito-idp.region.amazonaws.com/region_string",
    "method": "GET",
    "url": "/api/workspaces/service-catalog/uuid/connections/id-1/windows-rdp-info",
    "query": {},
    "body": {}
}

2024-03-07T09:32:19.236Z uuid INFO { "solutionName": "blah", "envType": "prod", "envName": "treprod", "logLevel": "info", "logEventType": "incomingRequest", "uid": "u-string", "authenticationProviderId": "https://cognito-idp.region.amazonaws.com/region_string", "method": "GET", "url": "/api/workspaces/service-catalog/uuid/connections/id-1/windows-rdp-info", "query": {}, "body": {} }
	2024-03-07T09:32:20.980+00:00
2024-03-07T09:32:20.980Z	uuid	ERROR	TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Object.privateDecrypt (node:internal/crypto/cipher:80:12)
    at EnvironmentScConnectionService.getWindowsPasswordDataForRdp (/var/task/src/lambdas/api-handler/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-connection-service.js:483:10)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at /var/task/src/lambdas/api-handler/addons/addon-base-raas/packages/base-raas-rest-api/lib/controllers/environment-sc-controller.js:151:22
    at /var/task/src/lambdas/api-handler/addons/addon-base-rest-api/packages/api-handler-factory/lib/app-context.js:59:9 {
  code: 'ERR_INVALID_ARG_VALUE'
}

in our code line 483 is the same as line 388 in the original code, the second line of

const password = crypto
      .privateDecrypt(
        { key: privateKey, padding: crypto.constants.RSA_PKCS1_PADDING },
        Buffer.from(passwordData, 'base64'),
      )
      .toString('utf8');

I think this is a security bug so should be dealt with despite SWB being in maintenance mode I will email a link to this issue to aws-security@amazon.com
@mrgum mrgum added the bug Something isn't working label Mar 7, 2024
@mrgum mrgum changed the title [Bug] environment-sc-connection-service.js RSA_PKCS1_PADDING is no longer supported for private decryption [Bug] environment-sc-connection-service.js CVE-2023-46809 RSA_PKCS1_PADDING is no longer supported for private decryption Mar 7, 2024
@mrgum
Copy link
Contributor Author

mrgum commented Mar 12, 2024
edited
Loading

A possible fix for this issue, the one I am currently using is to replace

const password = crypto
      .privateDecrypt(
        { key: privateKey, padding: crypto.constants.RSA_PKCS1_PADDING },
        Buffer.from(passwordData, 'base64'),
      )
      .toString('utf8');

with

      const keyRSA = new NodeRSA(
        privateKey,
        "private",
        {
          encryptionScheme: "pkcs1",
        }
      )
      keyRSA.setOptions({ environment: "browser" });

      const decrypted = keyRSA.decrypt(Buffer.from(passwordData, "base64"), "buffer");
      const password = decrypted.toString();

Adding node-rsa to the package.json and running pnpm install where its needed

Though as this code appears four times in the codebase perhaps a utility function would be a better fix?

nodejs/node#52017 is where I got the fix from

@mrgum
Copy link
Contributor Author

mrgum commented Mar 18, 2024

Release 6.2.2 fixes this bug.

@mrgum mrgum closed this as completed Mar 18, 2024
@mrgum mrgum reopened this Mar 18, 2024
@mrgum
Copy link
Contributor Author

mrgum commented Mar 18, 2024
edited
Loading

release v6.2.2 fixes this for getting windows passwords, however another connection method, getRStudioUrl still uses the now broken code and needs the same fix
https://github.com/awslabs/service-workbench-on-aws/blob/mainline/addons/addon-base-raas/packages/base-raas-services/lib/environment/built-in/environment-url-service.js#L61-L64
https://github.com/awslabs/service-workbench-on-aws/blob/mainline/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-connection-service.js#L247-L250

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Review One Review Two
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrgum @htztomic @rangfeli