CVE-2024-25129 in codeql-cli-binariesinfo

Summary

by MITRE • 02/22/2024

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/13/2024

The vulnerability described in CVE-2024-25129 represents a critical XML External Entity (XXE) flaw within the CodeQL command line interface that affects versions prior to 2.16.3. This security weakness resides in the XML parser component responsible for processing auxiliary files within the CodeQL ecosystem, creating a pathway for malicious actors to exploit the system through specially crafted inputs. The vulnerability specifically targets the way the CLI handles XML data during database processing or query source analysis, where an attacker can manipulate the system to make unauthorized HTTP requests to arbitrary URLs. This flaw operates under the CWE-611 category of Improper Restriction of XML External Entity Reference, which is a well-documented vulnerability pattern that has been exploited in numerous security incidents across various software platforms. The attack vector requires that an attacker control or influence the content of CodeQL databases or query source files, particularly those distributed in compressed formats such as zip archives or tarballs rather than individual files.

The technical exploitation of this vulnerability occurs when a vulnerable CodeQL CLI processes auxiliary files that contain malicious XML entities referencing local files through HTTP protocols. The system's XML parser, when encountering external entity declarations, will attempt to resolve these references and make HTTP requests to URLs that may contain file paths or content from the local filesystem. This creates a potential for information disclosure or privilege escalation scenarios where sensitive data, configuration files, or authentication credentials stored locally could be exfiltrated to attacker-controlled servers. The attack requires the attacker to have control over the input data, meaning that the vulnerability is not exploitable through single files but rather through entire archives or packages that contain auxiliary XML files. This characteristic aligns with ATT&CK technique T1566.001 for Initial Access through spearphishing attachments, where the malicious payload is embedded within legitimate-looking packages. The vulnerability specifically impacts users who process CodeQL databases or query sources from untrusted parties, as the system's XML parser will attempt to resolve external entities even when they are not explicitly intended to be processed.

The operational impact of this vulnerability extends beyond simple data exfiltration to potentially compromise entire development environments and CI/CD pipelines. Security researchers and query authors who routinely analyze code from external sources become prime targets for this attack, as they may unknowingly process maliciously crafted databases or query packages. The risk is particularly elevated in automated systems where CodeQL is used for continuous security scanning, as these environments often process inputs from multiple sources without manual verification. Organizations that rely on CodeQL for security analysis of third-party code or open source projects face significant exposure, as the vulnerability can be triggered through legitimate code analysis workflows. The vulnerability's scope is limited to specific attack scenarios involving compressed archives rather than individual files, which provides some mitigation but does not eliminate the risk entirely. The exploitation requires the attacker to have influence over the content of the files being processed, making it a targeted rather than widespread vulnerability, yet still capable of causing substantial privacy and security breaches.

The remediation for this vulnerability is straightforward with the release of CodeQL CLI version 2.16.3, which properly sanitizes XML input and disables external entity resolution. Organizations should prioritize upgrading to this version to eliminate the risk, as the fix addresses the root cause of the vulnerability by implementing proper XML parsing security measures. Alternative mitigation strategies include implementing strict input validation policies that prevent processing of untrusted CodeQL databases or query sources, and operating vulnerable systems in isolated network environments without internet connectivity. For organizations that cannot immediately upgrade, using a dedicated offline system for processing untrusted inputs or implementing network monitoring to detect unauthorized HTTP requests can provide additional protection layers. The vulnerability's nature means that routine analysis of trusted source trees with preselected queries remains safe, as the attack requires specific conditions involving malicious inputs rather than standard usage patterns. This aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter, where the attack path requires specific manipulation of input data rather than exploiting system weaknesses directly. Organizations should also ensure that their CI/CD systems use the production CodeQL release for precompiling query packs, as the `codeql pack create` command is safe when processing trusted source material, while all other development activities should utilize upgraded CLI versions to prevent potential compromise of the build environment.

Responsible

GitHub, Inc.

Reservation

02/05/2024

Disclosure

02/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00773

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!