CVE-2023-23556
CVE-2023-23556
9.8
CriticalPublished:
Last updated:
Source:cve-assign@fb.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Comprehensive Technical Analysis of CVE-2023-23556
CVE ID: CVE-2023-23556 CVSS Score: 9.8 (Critical) Affected Component: Hermes JavaScript Engine (BigInt-to-Number Conversion) Exploitation Impact: Arbitrary Code Execution (ACE)
1. Vulnerability Assessment & Severity Evaluation
Technical Root Cause
CVE-2023-23556 stems from an out-of-bounds (OOB) write vulnerability in Hermes, a JavaScript engine optimized for React Native. The flaw occurs during the conversion of a BigInt (arbitrary-precision integer) to a Number (64-bit floating-point). Specifically:
- Improper Memory Handling: When Hermes processes a maliciously crafted BigInt, the engine fails to validate the size of the target buffer during conversion, leading to a heap-based buffer overflow.
- Type Confusion: The vulnerability may also involve type confusion between BigInt and Number representations, allowing an attacker to manipulate memory layout and overwrite adjacent memory structures.
Severity Justification (CVSS 9.8)
| CVSS Metric | Score | Rationale |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via untrusted JavaScript execution. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No authentication or elevated privileges needed. |
| User Interaction (UI) | None (N) | Exploitable without user interaction (e.g., via malicious JS payload). |
| Scope (S) | Unchanged (U) | Impact confined to the Hermes engine process. |
| Confidentiality (C) | High (H) | Arbitrary code execution enables data exfiltration. |
| Integrity (I) | High (H) | Malicious code can modify memory and execute payloads. |
| Availability (A) | High (H) | Engine crash or persistent compromise possible. |
Result: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
2. Potential Attack Vectors & Exploitation Methods
Exploitation Prerequisites
- Hermes Engine Execution: The victim must execute untrusted JavaScript code in an environment using Hermes (e.g., a React Native app that processes external JS).
- BigInt Manipulation: The attacker must craft a malicious BigInt value that triggers the OOB write during conversion.
Exploitation Steps
-
Crafting the Payload:
- The attacker constructs a malformed BigInt (e.g., via
BigInt.asIntN()orBigInt.asUintN()) designed to overflow the target buffer when converted to a Number. - Example (pseudo-code):
const maliciousBigInt = BigInt("0x..."); // Crafted to trigger OOB write const exploit = Number(maliciousBigInt); // Triggers vulnerability
- The attacker constructs a malformed BigInt (e.g., via
-
Triggering the Vulnerability:
- The payload is delivered to the victim (e.g., via a malicious React Native app, a compromised third-party library, or a web-based attack if Hermes is exposed to untrusted JS).
- When Hermes processes the conversion, the OOB write corrupts adjacent memory.
-
Arbitrary Code Execution (ACE):
- The attacker leverages the OOB write to overwrite function pointers, return addresses, or JIT-compiled code in the heap.
- Techniques may include:
- Return-Oriented Programming (ROP): Chaining existing code snippets to bypass DEP/NX.
- JIT Spraying: Injecting shellcode into JIT-compiled memory regions.
- Heap Grooming: Manipulating heap layout to place attacker-controlled data at predictable addresses.
-
Post-Exploitation:
- Once ACE is achieved, the attacker can:
- Execute arbitrary native code (e.g., spawn a shell, exfiltrate data).
- Escalate privileges if Hermes runs in a privileged context.
- Persist within the application (e.g., via hooking or backdoor installation).
- Once ACE is achieved, the attacker can:
Real-World Attack Scenarios
- Malicious React Native Apps: An attacker distributes a trojanized React Native app that processes untrusted JS (e.g., from an API or user input).
- Supply Chain Attacks: Compromised third-party libraries (e.g., npm packages) include malicious JS that triggers the vulnerability.
- Web-Based Exploitation: If Hermes is exposed to untrusted web content (uncommon, but possible in hybrid apps), a drive-by download could exploit the flaw.
3. Affected Systems & Software Versions
Vulnerable Hermes Versions
- All versions prior to commit
a6dcafe6ded8e61658b40f5699878cd19a481f80(May 2023). - React Native Applications:
- Affected: Apps using Hermes to execute untrusted JavaScript (e.g., dynamic code evaluation, third-party scripts).
- Not Affected: Most React Native apps (as they typically execute trusted JS bundles). However, apps with dynamic JS loading (e.g., from APIs, user input, or plugins) are at risk.
Platforms at Risk
- Mobile: Android/iOS apps using Hermes (React Native).
- Desktop: Hermes-powered Electron or Node.js applications (rare).
- Embedded/IoT: Devices running Hermes for JS execution.
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply the Patch:
- Upgrade Hermes to the latest version (post-commit
a6dcafe6ded8e61658b40f5699878cd19a481f80). - For React Native apps, update to a version bundling the patched Hermes engine.
- Upgrade Hermes to the latest version (post-commit
-
Input Validation & Sandboxing:
- Avoid executing untrusted JavaScript in Hermes. If unavoidable:
- Use strict Content Security Policy (CSP) to restrict script sources.
- Implement sandboxing (e.g., Web Workers, isolated contexts) for untrusted code.
- Disable BigInt-to-Number conversion for untrusted inputs if possible.
- Avoid executing untrusted JavaScript in Hermes. If unavoidable:
-
Memory Protections:
- Enable ASLR (Address Space Layout Randomization) and DEP/NX (Data Execution Prevention) on the host system.
- Use Control-Flow Integrity (CFI) or Pointer Authentication (if supported by the platform).
Long-Term Defenses
-
Code Auditing:
- Audit all JavaScript execution paths in React Native apps for dynamic code evaluation (e.g.,
eval(),Function(),new Function()). - Use static analysis tools (e.g., ESLint, Semgrep) to detect unsafe patterns.
- Audit all JavaScript execution paths in React Native apps for dynamic code evaluation (e.g.,
-
Runtime Protections:
- Deploy Runtime Application Self-Protection (RASP) to detect and block exploitation attempts.
- Use WebAssembly (WASM) sandboxes for untrusted JS execution where possible.
-
Dependency Management:
- Monitor third-party libraries for Hermes-related vulnerabilities.
- Use dependency scanning tools (e.g., Dependabot, Snyk) to track updates.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
React Native Ecosystem Risk:
- While most React Native apps are not affected, the vulnerability highlights the risks of dynamic JS execution in mobile apps.
- Developers must reassess trust boundaries in hybrid apps (e.g., web views, third-party scripts).
-
JavaScript Engine Security:
- Hermes joins other JS engines (V8, JavaScriptCore, SpiderMonkey) with critical memory corruption flaws.
- Reinforces the need for memory-safe languages (e.g., Rust, WebAssembly) in engine development.
-
Supply Chain Threats:
- The vulnerability could be exploited via compromised npm packages or malicious SDKs, emphasizing the need for software composition analysis (SCA).
-
Exploitation in the Wild:
- As of the analysis date, no known in-the-wild exploits have been reported, but the high CVSS score makes it an attractive target for APTs and cybercriminals.
- Likely exploitation scenarios include targeted attacks against high-value apps (e.g., financial, healthcare).
Comparison to Similar Vulnerabilities
| Vulnerability | Engine | Root Cause | CVSS | Exploitation |
|---|---|---|---|---|
| CVE-2023-23556 | Hermes | BigInt-to-Number OOB write | 9.8 | ACE via untrusted JS |
| CVE-2021-30563 | V8 | Type confusion in TurboFan | 8.8 | ACE via malicious JS |
| CVE-2020-6506 | JavaScriptCore | JIT optimization bug | 8.8 | ACE via web content |
6. Technical Details for Security Professionals
Vulnerability Mechanics
-
BigInt-to-Number Conversion Flow:
- Hermes represents BigInts as arbitrary-precision integers (stored in a custom format).
- When converting to a Number, Hermes:
- Allocates a fixed-size buffer for the Number representation.
- Copies the BigInt data into the buffer without proper bounds checking.
- A maliciously sized BigInt can overflow the buffer, corrupting adjacent memory.
-
Memory Corruption:
- The OOB write can overwrite:
- Heap metadata (e.g., chunk headers, free lists).
- Function pointers (e.g., in vtables or JIT code).
- Return addresses on the stack (if the overflow extends into stack memory).
- The OOB write can overwrite:
-
Exploitation Primitives:
- Arbitrary Write: Overwrite a function pointer to redirect execution.
- Information Leak: Read adjacent memory to bypass ASLR.
- JIT Code Injection: Overwrite JIT-compiled code with shellcode.
Proof-of-Concept (PoC) Considerations
While no public PoC exists, a theoretical exploit might:
-
Leak a Memory Address:
- Use a heap spray to place predictable data at known offsets.
- Trigger the OOB write to leak a libc address or JIT code pointer.
-
Achieve Arbitrary Write:
- Overwrite a GOT entry or vtable pointer to redirect execution.
- Alternatively, corrupt a JIT code buffer to inject shellcode.
-
Bypass Mitigations:
- ASLR: Leak an address via the OOB write.
- DEP/NX: Use ROP to chain gadgets.
- CFI: Overwrite a function pointer in a way that bypasses checks.
Detection & Forensics
-
Static Analysis:
- Search for BigInt-to-Number conversions in untrusted JS code.
- Use binary diffing to compare patched vs. unpatched Hermes binaries.
-
Dynamic Analysis:
- Fuzzing: Use tools like AFL++ or Honggfuzz to trigger the OOB write.
- Memory Debugging: Monitor for heap corruption (e.g., with Valgrind, AddressSanitizer).
-
Post-Exploitation Indicators:
- Crash Dumps: Look for heap corruption or invalid memory access in Hermes.
- Behavioral Anomalies: Unexpected process termination or code execution from heap memory.
Conclusion
CVE-2023-23556 is a critical memory corruption vulnerability in the Hermes JavaScript engine, enabling arbitrary code execution via untrusted JavaScript. While the impact is limited to environments executing untrusted JS (e.g., dynamic React Native apps), the high CVSS score and exploitation potential demand immediate patching and defensive measures.
Key Takeaways for Security Teams:
- Patch Hermes immediately (post-commit
a6dcafe6). - Audit React Native apps for untrusted JS execution.
- Enforce memory protections (ASLR, DEP, CFI).
- Monitor for exploitation attempts (heap corruption, unexpected crashes).
This vulnerability underscores the ongoing risks of memory-unsafe languages in JavaScript engines and the need for proactive security hardening in mobile and hybrid applications.
References
cve-assign@fb.com
https://www.facebook.com/security/advisories/cve-2023-23556af854a3a-2127-422b-91ae-364da2661108
https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80af854a3a-2127-422b-91ae-364da2661108
https://www.facebook.com/security/advisories/cve-2023-23556