Bug 987863 (CVE-2016-3956) - VUL-0: CVE-2016-3956: nodejs,npm: npm bearer token leak
Summary: VUL-0: CVE-2016-3956: nodejs,npm: npm bearer token leak
Status: RESOLVED FIXED
Alias: CVE-2016-3956
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Jordi Massaguer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170652/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-06 11:42 UTC by Andreas Stieger
Modified: 2016-07-06 18:05 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-06 11:42:56 UTC 
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install.

This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

This flaw has been fixed in npm@2.15.1 (npm LTS) and npm@3.8.3. The npm CLI team believes that the fix won't break any existing registry setups, but due to the large number of registry software suites in the wild, it's possible that this change will be breaking in some cases. If so, please file an issue describing the software you're using and how it broke, and the team will work with you to mitigate the breakage.

If you believe that your bearer token may have been leaked, it should be sufficient to invalidate your current npm bearer tokens and to rerun npm login to generate new tokens. Keep in mind that this may cause continuous integration builds in services like Travis to break, in which case you'll need to update the tokens in your CI server's configuration.

Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James Taylor for reporting this vulnerability to npm.

As Node.js ships with npm, releases for the active lines will be made available shortly for your convenience. Please watch the Node.js news feed for the following releases:

    v0.10 (Maintenance): Node.js v0.10.44 includes npm LTS v2.15.1. This is a major upgrade of npm from v1 which has previously been deprecated. No fix is being made available for npm v1, please upgrade to npm v2 as soon as possible.
    v0.12 (LTS): Node.js v0.12.13 includes npm LTS v2.15.1.
    v4 (LTS "Argon"): Node.js v4.4.2 includes npm LTS v2.15.1.
    v5 (Stable): Node.js v5.10.0 includes npm v3.8.3.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3956
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
https://github.com/npm/npm/issues/8380
http://www-01.ibm.com/support/docview.wss?uid=swg21980827
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3956
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3956.html
Comment 4 Andreas Stieger 2016-07-06 11:57:54 UTC 
13.2 already fixed.
openSUSE Leap 42.1 already fixed.