search

awslabs / service-workbench-on-aws

A platform that provides researchers with one-click access to collaborative workspace environments operating across teams, universities, and datasets while enabling university IT stakeholders to manage, monitor, and control spending, apply security best practices, and comply with corporate governance.
Apache License 2.0
178 stars 119 forks source link

[Bug] environment-sc-connection-service.js CVE-2023-46809 RSA_PKCS1_PADDING is no longer supported for private decryption #1250

Open mrgum opened 6 months ago

mrgum commented 6 months ago

Describe the bug After redeploying a previously working SWB we can no longer get connections to rdp workspaces

To Reproduce Steps to reproduce the behavior:

  1. Go to workspaces
  2. Click on 'Get Connection'
  3. See error bottom right red box 'we have a problem! something went wrong ;'

Expected behavior Get connection to workspace

Versions (please complete the following information):

Additional context Tracing through cloudwatch logs gives

2024-03-07T09:32:19.236+00:00
2024-03-07T09:32:19.236Z    uuid    INFO    
{
    "solutionName": "blah",
    "envType": "prod",
    "envName": "treprod",
    "logLevel": "info",
    "logEventType": "incomingRequest",
    "uid": "u-string",
    "authenticationProviderId": "https://cognito-idp.region.amazonaws.com/region_string",
    "method": "GET",
    "url": "/api/workspaces/service-catalog/uuid/connections/id-1/windows-rdp-info",
    "query": {},
    "body": {}
}

2024-03-07T09:32:19.236Z uuid INFO { "solutionName": "blah", "envType": "prod", "envName": "treprod", "logLevel": "info", "logEventType": "incomingRequest", "uid": "u-string", "authenticationProviderId": "https://cognito-idp.region.amazonaws.com/region_string", "method": "GET", "url": "/api/workspaces/service-catalog/uuid/connections/id-1/windows-rdp-info", "query": {}, "body": {} }
    2024-03-07T09:32:20.980+00:00
2024-03-07T09:32:20.980Z    uuid    ERROR   TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Object.privateDecrypt (node:internal/crypto/cipher:80:12)
    at EnvironmentScConnectionService.getWindowsPasswordDataForRdp (/var/task/src/lambdas/api-handler/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-connection-service.js:483:10)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at /var/task/src/lambdas/api-handler/addons/addon-base-raas/packages/base-raas-rest-api/lib/controllers/environment-sc-controller.js:151:22
    at /var/task/src/lambdas/api-handler/addons/addon-base-rest-api/packages/api-handler-factory/lib/app-context.js:59:9 {
  code: 'ERR_INVALID_ARG_VALUE'
}

in our code line 483 is the same as line 388 in the original code, the second line of

const password = crypto
      .privateDecrypt(
        { key: privateKey, padding: crypto.constants.RSA_PKCS1_PADDING },
        Buffer.from(passwordData, 'base64'),
      )
      .toString('utf8');

I think this is a security bug so should be dealt with despite SWB being in maintenance mode I will email a link to this issue to aws-security@amazon.com

mrgum commented 5 months ago

A possible fix for this issue, the one I am currently using is to replace

const password = crypto
      .privateDecrypt(
        { key: privateKey, padding: crypto.constants.RSA_PKCS1_PADDING },
        Buffer.from(passwordData, 'base64'),
      )
      .toString('utf8');

with

      const keyRSA = new NodeRSA(
        privateKey,
        "private",
        {
          encryptionScheme: "pkcs1",
        }
      )
      keyRSA.setOptions({ environment: "browser" });

      const decrypted = keyRSA.decrypt(Buffer.from(passwordData, "base64"), "buffer");
      const password = decrypted.toString();

Adding node-rsa to the package.json and running pnpm install where its needed

Though as this code appears four times in the codebase perhaps a utility function would be a better fix?

https://github.com/nodejs/node/issues/52017 is where I got the fix from

mrgum commented 5 months ago

Release 6.2.2 fixes this bug.

mrgum commented 5 months ago

release v6.2.2 fixes this for getting windows passwords, however another connection method, getRStudioUrl still uses the now broken code and needs the same fix https://github.com/awslabs/service-workbench-on-aws/blob/mainline/addons/addon-base-raas/packages/base-raas-services/lib/environment/built-in/environment-url-service.js#L61-L64 https://github.com/awslabs/service-workbench-on-aws/blob/mainline/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-connection-service.js#L247-L250