CVE-2024-34346: Deno Vulnerability Allows Privilege Elevation

Developers and system administrators using Deno, the popular JavaScript, TypeScript, and WebAssembly runtime known for its security-focused architecture, need to be aware of a critical security vulnerability that has been identified and addressed in recent updates. The vulnerability, tracked as CVE-2024-34346 with a CVSS score of 8.5, presents a significant risk as it allows for permission escalation through the mishandling of privileged files.

What is Deno?

Deno is a cutting-edge runtime for executing JavaScript and TypeScript outside of a web browser. Built on technologies like the V8 engine, Rust, and Tokio, Deno offers enhanced security features and developer experience by design. Its default settings are intended to provide a secure sandbox environment that restricts access to the host system, aiming to prevent unauthorized operations.

The Vulnerability Details

The issue lies in how Deno handles file permissions, particularly when the --deny flag is not specified. In specific scenarios, users who enable read or write access to the entire filesystem may inadvertently grant permissions to access sensitive files that should require higher privileges. For instance, interacting with /proc/self/environ could inadvertently equate to granting --allow-env, which provides access to environment variables, while manipulating /proc/self/mem could lead to a state equivalent to --allow-all, giving nearly unrestricted access to the system.

The CVE-2024-34346 vulnerability affects several critical directories across Unix and Windows platforms, including /etc, /dev, /proc, and /sys on Unix, and paths starting with \\ on Windows.

Impact of the Vulnerability

Users running Deno versions earlier than 1.43.0 with the --allow-read or --allow-write flags are at risk of unintentionally providing scripts or applications with broader access than intended. This oversight can lead to potential exploitation where malicious code could escalate its privileges within the system undetected.

Solutions and Mitigations

The Deno team has swiftly responded to the vulnerability by releasing version 1.43.1. In this patched version, explicit --allow-all access is required to read or write to the sensitive directories listed above. This update significantly mitigates the risk by enforcing stricter control over file access permissions.

For users unable to update immediately, Deno offers workarounds that involve explicitly denying access to these critical files using flags such as --deny-read=/dev and --deny-write=/proc. These measures are essential for maintaining the integrity of the security sandbox, particularly in earlier versions of Deno where symlink resolutions could potentially bypass these restrictions.