Summary
ballerina-platform/ballerina-lang used an insecure TrustManager for HTTPS connections making clients vulnerable a to machine-in-the-middle attack (MiTM) and remote code execution (RCE).
Product
ballerina-platform/ballerina-lang
Tested Version
Commit 9a4d1967
Details
The Ballerina programming language provides the bal tool for managing everything related to Ballerina.
Dependency management is done using the bal pull/push/search commands that allow to download/upload packages from the central repository or search for a package.
I’m focusing on the bal pull command, the other sub-commands have the same problem and similar execution flow.
The bal pull command is internally represented by the PullCommand class which will delegate the actual work to the CentralAPIClient#pullPackage method.
The pullPackage method then calls the Utils#initializeSsl method which claims to “initializes SSL” but actually enables an insecure TrustManager (defined here).
An insecure TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.
After an attacker has forged such a certificate they can intercept and manipulate the requested package and include arbitrary code! Because the issue affects both downloading and uploading of packages this could also be used for a supply-chain attack.
Impact
Machine-in-the-middle attack. Remote code execution. Supply chain attack.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2021-03-08: Sent a mail to security@ballerina.io.
- 2021-06-04: Issue is patched.
- 2021-06-22: CVE id is shared with me.
- 2021-06-22: Advisory is published.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2021-001 in any communication regarding this issue.