The HCL Bigfix Server Automation device management software is affected by a security vulnerability in the qs library used. Attackers could use this to paralyze the Bigfix process on vulnerable nodes. Updated software to fix the error is available.
The vulnerability stems from unauthenticated remote attackers sending an attack payload in a URL request with a parameter of the form a(__proto__)=b&a(__proto__)&a(length)=100000000 can place. When processing in the qs library before version 6.10.3, the node process can hang as a result, explained HCL in a security advisory (CVE-2022-24999, CVSS 7.5Risk “hoch“).
HCL Bigfix Vulnerability: Affected Versions
According to the HCL report, the vulnerable qs library is used, among other things, in the Software Express prior to version 4.17.3. The above parameters are typical in numerous Express use cases. The developers have backported the error correction to versions qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3 and 6.2.4.
This means that Express 4.17.3, which has “deps: [email protected]” as a dependency in the release description, is no longer vulnerable. Officially, HCL lists in the notification HCL BigFix Server Automation Rest API in Version 9.5.64 and the elderly as vulnerable. IT managers can access the updated, error-corrected software using the methods they are familiar with.
In the middle of last year, HCL had to plug security gaps in Bigfix that allowed attackers to compromise vulnerable systems. Some of the gaps were classified as critical and made it possible, for example, to run your own commands.
(dmk)
