Summary

ballerina-platform/ballerina-lang used an insecure TrustManager for HTTPS connections making clients vulnerable a to machine-in-the-middle attack (MiTM) and remote code execution (RCE).

Product

ballerina-platform/ballerina-lang

Tested Version

Commit 9a4d1967

Details

The Ballerina programming language provides the bal tool for managing everything related to Ballerina. Dependency management is done using the bal pull/push/search commands that allow to download/upload packages from the central repository or search for a package.

I’m focusing on the bal pull command, the other sub-commands have the same problem and similar execution flow. The bal pull command is internally represented by the PullCommand class which will delegate the actual work to the CentralAPIClient#pullPackage method. The pullPackage method then calls the Utils#initializeSsl method which claims to “initializes SSL” but actually enables an insecure TrustManager (defined here).

An insecure TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.

After an attacker has forged such a certificate they can intercept and manipulate the requested package and include arbitrary code! Because the issue affects both downloading and uploading of packages this could also be used for a supply-chain attack.

Impact

Machine-in-the-middle attack. Remote code execution. Supply chain attack.

CVE

CVE-2021-32700

Github Advisories

GHSA-9657-33wf-rmvx

Coordinated Disclosure Timeline

  • 2021-03-08: Sent a mail to security@ballerina.io.
  • 2021-06-04: Issue is patched.
  • 2021-06-22: CVE id is shared with me.
  • 2021-06-22: Advisory is published.

Credit

This issue was discovered and reported by @intrigus-lgtm.

Contact

You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2021-001 in any communication regarding this issue.