CVE-2024-56334: Command Injection Flaw Exposes Millions of Node.js Systems to Attack
A severe command injection vulnerability (CVE-2024-56334) has been identified in the widely used Node.js system information package, which has over 8 million monthly downloads and a staggering 330 million total downloads. This flaw could allow attackers to execute arbitrary OS commands, potentially leading to remote code execution (RCE) or privilege escalation, depending on the package’s usage.
The vulnerability stems from a command injection flaw within the getWindowsIEEE8021x function, which retrieves network SSID information. This function fails to sanitize the SSID properly before passing it as a parameter to cmd.exe. As a result, an attacker could embed malicious commands within the SSID of a Wi-Fi network, which would then be executed on a vulnerable system when the getWindowsIEEE8021x function is called.
Security researcher xAiluros, who discovered the CVE-2024-56334 vulnerability, demonstrated its potential impact by escalating privileges within a Windows service. An attacker could exploit this flaw by creating a Wi-Fi hotspot with a malicious SSID. When a vulnerable system connects to this network, the attacker’s commands embedded within the SSID could be executed, potentially leading to remote code execution or privilege escalation.
Two example payloads demonstrate the potential for exploitation:
- Indefinite Ping Flood
SSID: a” | ping /t 127.0.0.1 & - Execution of a Malicious File
SSID: a” | %SystemDrive%\a\a.exe &
Once connected to the malicious Wi-Fi network, executing the vulnerable function within an application using the package, such as:
can trigger the attack, running the payload on the victim’s machine.
Versions of ‘systeminformation’ up to and including 5.23.6 are affected by this vulnerability. The maintainers have released version 5.23.7, which addresses the issue. All users of this package are strongly urged to update to the latest version immediately.