New Async-Tar Vulnerability: Understanding the Risk of ‘Archive Smuggling’
A significant security vulnerability has been uncovered in the widely used async-tar JavaScript library, posing a serious threat to applications that process TAR archives. This flaw, known as a path traversal vulnerability, allows attackers to write files to arbitrary locations on a system, potentially leading to remote code execution. The attack method is particularly deceptive, leveraging a technique best described as “archive smuggling” to bypass standard security checks.
If your application uses the async-tar library to handle file uploads or process TAR files from untrusted sources, immediate action is required to mitigate this risk.
The Core of the Problem: Nested TAR Files
The vulnerability stems from how async-tar handles nested TAR archives—a TAR file contained within another TAR file. Attackers can craft a malicious archive where the inner file contains a dangerous path traversal payload (e.g., ../../etc/passwd), but the outer archive appears harmless.
Here’s how the “archive smuggling” attack works:
- Crafting the Malicious Payload: An attacker creates a TAR archive (the “inner” archive) containing a file with a path designed to escape the intended extraction directory. For example, a file named
../../home/user/.ssh/authorized_keys. - Nesting the Archive: This malicious inner archive is then placed inside a second, seemingly benign TAR file (the “outer” archive).
- Bypassing Security Checks: When a vulnerable application using
async-tarreceives this nested archive, it begins to extract the outer file. The library may successfully validate the file paths in the outer archive. However, the critical flaw occurs when it proceeds to unpack the inner archive. The security checks are not properly applied to the contents of this second-level archive. - Arbitrary File Write: As the inner archive is extracted, the path traversal payload is executed. This allows the attacker’s malicious file to be written to a sensitive location outside of the designated temporary or upload folder, overwriting critical system files.
The primary danger is that initial security scans may only inspect the outer layer, deeming the file safe. The smuggled inner archive remains hidden until the extraction process, at which point the damage is already done.
Who is at Risk and What is the Impact?
Any Node.js application, web service, or backend system that uses a vulnerable version of the async-tar library to process TAR files is at risk. This is especially true for services that allow users to upload files, such as:
- Cloud storage platforms
- Continuous Integration/Continuous Deployment (CI/CD) pipelines
- Online code repositories and collaboration tools
- Any system that unpacks software packages or backups
Successful exploitation of this vulnerability can have devastating consequences, including:
- Remote Code Execution (RCE): By overwriting executable files, shell profiles (
.bashrc), or SSH keys, an attacker can gain full control over the affected server. - Denial of Service (DoS): Overwriting or corrupting essential system files can crash the application or the entire operating system.
- Information Disclosure: Attackers could replace configuration files to reroute traffic or capture sensitive data.
How to Secure Your Systems: Mitigation Steps
Protecting your applications from this archive smuggling vulnerability requires immediate and proactive steps. Simply relying on filename or extension filters is not enough.
1. Update Your Dependencies Immediately
The most critical step is to update the async-tar library to a patched version. Developers have released a fix that correctly handles path sanitization for nested archives.
- Check your project’s dependencies for
async-tar. Runnpm auditor a similar command in your project directory to identify if you are using a vulnerable version. - Update to the latest secure version of the library by modifying your
package.jsonfile and runningnpm install.
2. Implement Defense-in-Depth Security Practices
Beyond patching this specific library, it’s crucial to adopt a layered security posture for handling any user-provided files.
- Run with Least Privilege: Ensure the process that handles file extraction runs as a low-privilege user. This user should not have write permissions to critical system directories, which limits the potential damage of a successful path traversal attack.
- Use Sandboxing: Whenever possible, process and extract archives in an isolated, sandboxed environment, such as a Docker container. This contains any malicious activity and prevents it from affecting the host system.
- Validate Archive Contents: Before processing, consider using robust tools to recursively scan archives for suspicious path entries, even within nested files. Do not trust that the file structure is safe.
This vulnerability serves as a stark reminder of the risks inherent in software supply chains and the importance of diligently managing dependencies. By taking swift action to patch vulnerable libraries and implementing strong security principles, organizations can protect themselves from this sophisticated “archive smuggling” attack.
Source: https://securityaffairs.com/183682/hacking/tarmageddon-flaw-in-async-tar-rust-library.html
