PatchSiren cyber security CVE debrief
CVE-2023-32005 NodeJS CVE debrief
A vulnerability in Node.js version 20's experimental permission model allows unauthorized file statistics retrieval via the fs.statfs API when the --allow-fs-read flag is used with non-wildcard arguments. The permission model fails to properly restrict statfs operations, enabling malicious actors to obtain file system statistics from files they do not have explicit read access to. This affects Siemens SINEC INS, which incorporates the vulnerable Node.js component. The vulnerability is rated MEDIUM severity with a CVSS score of 5.3. Siemens has released a vendor fix in V1.0 SP2 Update 3.
- Vendor
- NodeJS
- Product
- SINEC INS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Organizations running Siemens SINEC INS with affected versions, industrial control system operators using Node.js 20 with experimental permission features, security teams managing file system access controls in Node.js environments, and compliance officers responsible for least-privilege enforcement in critical infrastructure applications.
Technical summary
The vulnerability exists in Node.js 20's experimental permission model implementation. When the --allow-fs-read flag is specified with a non-wildcard argument (not *), the permission check fails to restrict the fs.statfs API. This API retrieves file system statistics including block size, total blocks, free blocks, and available blocks. The inadequate permission boundary allows an attacker with limited file system access to enumerate file system characteristics of paths outside their authorized scope. The flaw represents a permissions bypass in an experimental security feature, resulting in information disclosure rather than direct code execution or data modification.
Defensive priority
medium
Recommended defensive actions
- Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version to address the underlying Node.js vulnerability
- Review and restrict use of Node.js experimental permission model with --allow-fs-read flag in production environments
- Implement defense-in-depth controls for industrial control systems per CISA recommended practices
- Monitor for anomalous file system statistics access patterns in affected Node.js deployments
- Validate that permission model configurations use principle of least privilege for file system access
Evidence notes
The vulnerability stems from Node.js 20's experimental permission model inadequately restricting fs.statfs API calls when --allow-fs-read is configured with specific path arguments rather than wildcard (*). This allows information disclosure through file system statistics retrieval. The CVE description explicitly notes the permission model was experimental at time of issuance. Siemens SINEC INS is affected as a downstream product incorporating the vulnerable Node.js version.
Official resources
-
CVE-2023-32005 CVE record
CVE.org
-
CVE-2023-32005 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12