Man-in-the-middle attack in npm unicode

Published: 2016-12-19

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2016-10578
CWE-ID	CWE-300
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	unicode Web applications / JS libraries
Vendor	npm Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Man-in-the-middle attack

EUVDB-ID: #VU13178

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-10578

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to conduct man-in-the-middle attack on the target system.

The vulnerability exists in the npm, Inc. unicode module due to improper security restrictions. An adjacent attacker can conduct man-in-the-middle attack, intercept of the communication channel between the affected app and modify or read resources from the system, or possibly execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

unicode: 0.0.1 - 0.6.1

CPE2.3

External links

https://nodesecurity.io/advisories/161

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.