GitHub security update: Vulnerabilities in tar and @npmcli/arborist

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.

| 11 minutes

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in the Node.js packages tar and @npmcli/arborist. We started our own security review of tar and @npmcli/arborist during the triage of these issues, which in turn uncovered additional vulnerabilities.

These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions. tar is a core npm dependency used to extract and install npm packages. tar is also a core dependency of thousands of other projects and is downloaded from npm tens of millions of times weekly. @npmcli/arborist is a core dependency for the npm CLI and is used to manage node_modules trees.

We acknowledged the bug bounty reports on receipt and, combined with our internal findings, seven CVEs were assigned in total:

CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install. Some of these issues may result in arbitrary code execution, even if you are using --ignore-scripts to prevent the processing of package lifecycle scripts.

While we have released these fixes via our normal vulnerability disclosure processes, we also want to ensure full npm community and tar dependent awareness of the available fixes for these issues.

We strongly recommend upgrading your npm CLI to version 6.14.15, 7.21.0, or newer. If your project depends on tar, we also recommend updating those dependencies to version 4.4.19, 5.0.11, 6.1.10, or newer as soon as possible. The v3 branch of tar has been deprecated and we recommend you update to v6 where possible. More details and remediation advice are provided below.

Why is this a security issue?

The npm CLI aims to enforce certain security boundaries on package installation. One of these boundaries is that a package’s contents will only be written to the appropriate folder within the node_modules directory hierarchy. Several of the tar and @npmcli/arborist vulnerabilities will cross that security boundary and may result in unexpected arbitrary file overwrites and subsequent code execution when installing untrusted packages.

tar itself has thousands of dependents beyond the npm CLI and is downloaded tens of millions of times weekly. These dependents may also use tar to extract potentially untrusted tar archives.

What actions have we taken?

When we learned of these vulnerabilities, we immediately started working on fixes and began scanning the npm registry for malicious packages that may have directly targeted the vulnerability that affected all npm CLI platforms (CVE-2021-32804). The scan completed on August 5, 2021 and we did not detect any malicious packages targeting CVE-2021-32804. Note that exploitation of these issues through the npm CLI requires installation of untrusted packages or processing untrusted tar archives using affected versions of tar.

We actively monitored the npm registry for any attempted abuse of these issues and performed an internal assessment to determine how we can better prevent this sort of bug in the future. Note that risk exposure is minimal for npm package installations that do not operate on untrusted packages.

Since symbolic links are explicitly not supported by the npm installer, and many of the issues in the tarslip vulnerability class are related to the cross-platform handling of symbolic and hard link extraction, on July 29, 2021 we started blocking the publication of npm packages that contain symbolic links, hard links, or absolute paths.

In total, GitHub created 16.7 million Dependabot alerts and delivered 1.8 million notifications to potentially affected users.

What you can do to remediate

If you install or package the npm CLI directly, please update to one of the latest versions of the npm CLI: v6.14.15, v7.21.0, or newer. Note that only CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 affected the npm CLI.

If you rely on Node.js for your npm installation, please update to the latest version of Node.js. The latest releases of Node 12, 14, and 16 as of August 31, 2021 all contain patched versions of npm that prevent exploitation of CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 (v12.22.6, v14.17.6 and v16.8.0 or newer).

If you are dependent on tar, please see the CVE-2021-32804, CVE-2021-32803 , CVE-2021-37701, CVE-2021-37712, and CVE-2021-37713 GitHub Security Advisories for tar specific remediation advice. Where possible, we recommend you update to the latest tar versions, which at the time of writing are 4.4.19, 5.0.11, and 6.1.10.

The v3 branch of tar has been deprecated and we recommend you migrate to the latest v6 release of tar when handling potentially untrusted tar archives.

What was the root cause of these vulnerabilities?

There were seven issues in total. Five separate issues in tar extraction of tar archives were addressed, but only two (CVE-2021-32804, CVE-2021-37713) directly affected npm package installations. In addition, two separate issues in @npmcli/arborist (CVE-2021-39134, CVE-2021-39135) were patched that also directly affected npm package installations.

The first tar issue that affected the npm CLI, CVE-2021-32804, revolves around absolute path extractions from tar archives. This vulnerability could result in a malicious npm package overwriting arbitrary files with the privileges of the user running the npm install on any supported npm platform. This, in turn, may lead to unintended arbitrary code execution through, for example, overwriting executable scripts. For more information, please visit https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9.

The second tar issue that affected the npm CLI, CVE-2021-37713, revolves around drive-relative Windows path extractions from tar archives. This vulnerability could result in a malicious npm package overwriting files outside of its installation root with the privileges of the user running the npm install on Windows systems. For more information, please visit https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh​.

The first @npmcli/arborist issue that affected the npm CLI, CVE-2021-39134, revolves around the handling of symbolic links within the node_modules tree when installing untrusted packages on case insensitive file systems. This vulnerability could result in a malicious npm package overwriting files outside of its installation root with the privileges of the user running the npm install. For more information, please visit https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc.

The second @npmcli/arborist issue that affected the npm CLI, CVE-2021-39135, also revolves around the handling of symbolic links within the node_modules tree when installing untrusted packages on case insensitive file systems. This vulnerability could result in a malicious npm package overwriting files outside of its installation root with the privileges of the user running the npm install. For more information, please visit https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2.

CVE-2021-32803 did not affect the npm CLI and revolves around the handling of directories and symlinks in sequence. This vulnerability could result in a malicious tar archive overwriting arbitrary files with the privileges of the process using tar. Since npm does not extract symlinks from tar archives by design, this issue did not affect the npm CLI. For more information, please visit https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw.

CVE-2021-37701 did not affect the npm CLI and revolves around the handling of path separators in filenames in combination with symlink extraction. This vulnerability could result in a malicious tar archive overwriting arbitrary files with the privileges of the process using tar. In addition to the bounty reported issues, our code review uncovered a potential variant vulnerability in the handling of symlinks on case insensitive file systems as well as additional path separator confusion issues. These issues were addressed in the CVE-2021-37701 patch set as well. Since npm does not extract symlinks from tar archives by design, these issues did not affect the npm CLI. For more information, please visit https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc.

CVE-2021-37712 did not affect the npm CLI and also involves the handling of symlinks in combination with the tar directory cache. In this variant, Unicode conversions and Windows 8.3 file name semantics could lead to directory cache poisoning and subsequent symlink check bypasses. This vulnerability could result in a malicious tar archive overwriting arbitrary files with the privileges of the process using tar. Since npm does not extract symlinks from tar archives by design, this issue did not affect the npm CLI. For more information, please visit https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p.

Acknowledgements

Several of these issues were reported to us by Robert Chen (@chen-robert) and Philip Papurt (@ginkoid) through one of GitHub’s private security bug bounty programs. We would like to thank Robert and Philip for reporting these issues and providing us with detailed and actionable reports as well as staying engaged throughout our remediation process. We have awarded a total bounty of $14,500 USD for their reports and look forward to our continued engagement with the security research community to keep GitHub, our products, and our customers more secure.

We’d also like to recognize the maintainers and project teams that partnered with us during the embargo period to minimize the breadth and impact of this vulnerability. Coordinated disclosure can be challenging and complex, but we greatly appreciate the partnership with the open source and npm community on resolving these issues.

Remediation timeline

  • On July 26, 2021, CVE-2021-32803 and CVE-2021-32804 were remediated in tar versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2.
  • On July 27, 2021, we released npm CLI v6.14.14 and v7.20.2 with patched versions of tar that remediate the CVE-2021-32804 registry attack vector (Node 12 / 14 / 16 includes this patched version of npm in their releases as of August 3, 2021).
  • On July 29, 2021, we deployed mitigations on the npm registry aimed at preventing tarslip packages from being published to the registry going forward. These mitigations prevent packages containing symlinks, hardlinks, or absolute paths from being published altogether.
  • On July 29, 2021, we identified and notified potentially-impacted and widely-used tar dependents as well as npm security stakeholders of CVE-2021-32803 and CVE-2021-32804 to allow them time to coordinate on their own security releases.
  • On August 3, 2021, we published security advisories for tar for CVE-2021-32803 and CVE-2021-32804 to inform the wider npm ecosystem of the available security fixes through npm audit as well as GitHub Dependabot notifications.
  • On August 4, 2021, we received an additional bounty report regarding a vulnerability in tar which was assigned CVE-2021-37701.
  • On August 9, 2021, CVE-2021-37701 was remediated in tar versions 4.4.16, 5.0.8, and 6.1.7 and the v3 branch of tar was deprecated.
  • On August 10, 2021, we addressed additional non-security issues in tar with versions 4.4.17, 5.0.9 and 6.1.8.
  • On August 11, 2021, we uncovered additional variant vulnerabilities in tar which were assigned CVE-2021-37712.
  • On August 12, 2021, we uncovered additional variant vulnerabilities in tar which were assigned CVE-2021-37713. These issues also potentially impacted the npm CLI.
  • On August 12, 2021, the bounty reporters confirmed that CVE-2021-32803 and CVE-2021-32804 had been fully remediated in the latest tar versions.
  • On August 12, 2021, we received an additional bounty report for tar. However, this finding was deemed to be a collision with the variant vulnerabilities identified as CVE-2021-37712 as a result of our internal code review.
  • On August 13, 2021, we received an additional bounty report for tar. However, this finding was deemed to be a collision with the variant vulnerabilities identified as CVE-2021-37713 as a result of our internal code review.
  • On August 13, 2021, we received a bounty report for @npmcli/arborist. This issue and an additional variant issue were assigned CVE-2021-2021-39134 and CVE-2021-39135.
  • On August 18, 2021, CVE-2021-37712 and CVE-2021-37713 were remediated in tar versions 4.4.19, 5.0.11, and 6.1.10.
  • On August 18, 2021, CVE-2021-39134 and CVE-2021-39135 were remediated in @npmcli/arborist version 2.8.2.
  • On August 19, 2021, we released npm CLI v7.21.0 with patched versions of tar and @npmcli/arborist that remediate CVE-2021-37713 as well as CVE-2021-39134 and CVE-2021-39135.
  • On August 23, 2021, we released npm CLI v6.14.15 with patched versions of tar and @npmcli/arborist that remediate CVE-2021-37713 as well as CVE-2021-39134 and CVE-2021-39135.
  • On August 25, 2021, we updated potentially-impacted and widely-used tar dependents as well as npm CLI security stakeholders with information about these additional issues to allow them time to coordinate on their own security releases.
  • As of August 31, 2021, Node 12 / 14 / 16 includes patched versions of npm in their latest releases (v12.22.6, v14.17.6 and v16.8.0 or newer).
  • On August 31, 2021, we published detailed security advisories for CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134 and CVE-2021-39135 to inform the wider npm ecosystem of the available security fixes through npm audit as well as GitHub Dependabot notifications.

Tags:

Written by

Mike Hanley

Mike Hanley

@mph4

Mike Hanley is the Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.

When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and eight kids.

Related posts

Attacks on Maven proxy repositories

Learn how specially crafted artifacts can be used to attack Maven repository managers. This post describes PoC exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts in Sonatype Nexus and JFrog Artifactory.