Denial-of-Service disclosure for Meteor APM/Kadira agent

Meteor developers should be aware of a recently discovered security vulnerability. Please read this disclosure for full details and consult the Resolution section for the appropriate fix.

Description

A remotely-executable Denial-of-Service (DoS) attack has been discovered which affects applications utilizing Meteor Application Performance Monitoring (“APM”; formerly “Kadira”) through use of the mdg:meteor-apm-agent package or any similar “agent” package based on the original meteorhacks:kadira package, which transmit performance metrics to Galaxy Meteor APM, NodeChef Meteor APM, and similar services.

This vulnerability has been patched in the mdg:meteor-apm-agent package, which is maintained by Meteor Development Group, however packages maintained by other parties may need to patched. Please see the Resolution section below for an update which will prevent the attack.

Impact

While a default Meteor configuration using Meteor’s core packages is not automatically vulnerable, the attack becomes possible when certain Meteor packages are installed. Such packages include, but are not limited to:

When a vulnerable version of an affected package is installed (whether or not it is configured), the attack payload can be delivered remotely. After the payload has been delivered, the application is likely to become unresponsive and will need to be restarted.

Additionally, after the attack, newly constructed JavaScript Objects might receive additional properties which would not normally have been present. These properties include: async, compute, count, db, email, errors, fetchedDocSize, http, sentMsgSize, total, and wait. Assertions or logic not expecting these additional object properties may raise errors or cause unpredictable behavior, including pollution of data and loss of APM data.

If an application does not use an affected package, we have no evidence the attack is possible.

Resolution

Any application using an affected package should update to a patched version. Two of the most common packages have already had the vulnerability patched, and their update instructions are included here for convenience.

Applications using mdg:meteor-apm-agent

The vulnerability has been fixed in version 3.1.1 of the mdg:meteor-apm-agent package. The command to update and patch the vulnerability is:

meteor update mdg:meteor-apm-agent

Applications using meteorhacks:kadira

We were not able to coordinate publishing of a patched version of the meteorhacks:kadira package with the package owner. Therefore, due to the popularity of this package, and with the best interest of the Meteor community in mind, Meteor Development Group has decided to publish a patched version of the meteorhacks:kadira package, without relying on the package author to do so.

Because of this action, the vulnerability has been fixed in version 2.30.4 of the meteorhacks:kadira package. The command to update and patch the vulnerability is:

meteor update meteorhacks:kadira

To review the changes we published, please consult the pull-request we submitted to the meteorhacks:kadira GitHub repository, which can be seen here.

Applications using other APM “agent” packages

Application developers should confirm that the package they are using has received the appropriate patch and update to the patched version of that package by using:

meteor update <package-name>

Maintainers of APM “agent” packages

Any package which was forked from meteorhacks:kadira should be patched. Maintainers of such packages should review the pull-request we submitted to the meteorhacks:kadira GitHub repository, which can be found here.

The changes supplied in that pull-request should be applied to the package source of the forked package, and the patched package should be republished using meteor publish. Once republished, any application using the package should be updated to the newly published version, using the above command.

Verification

After running the appropriate meteor update command, developers should verify that the latest version of the affected package was installed, either by examining the output of the command or by inspecting the application’s .meteor/versions file.

Credit

Meteor believes in responsible disclosure of security vulnerabilities. We respect the hard work of security researchers who privately notify us with vulnerability details and appreciate the time they provide us time to address and resolve vulnerabilities prior to disclosing them publicly.

Credit for the discovery of this vulnerability goes to Adam Baldwin from Lift Security and Juho Hietala from Pacific Reach Advisors, Inc., who reported this issue to Meteor.

Please contact security@meteor.com to report a vulnerability in Meteor.


We’ll be actively monitoring this thread. Please keep your responses on-topic and helpful.

15 Likes

Thanks to the Meteor security team for taking action on this quickly after we reported it. :clap:

11 Likes

Thank you Meteor team! While attempting to update the mdg:meteor-apm-agent package, it prompted a incompatible update requirement. Was this the right course of action for my app? My app is running fine after these updates, but I’m unsure if the upgrade then downgrade looks right.

Chronology

  1. Ran meteor update --patch: Upgraded from 1.5.2.2 => 1.5.4.1
  2. Result:
Changes to your project's package version selections from updating the release:

accounts-base              upgraded from 1.3.4 to 1.4.0
accounts-facebook          upgraded from 1.2.1 to 1.3.0
accounts-google            upgraded from 1.2.0 to 1.3.0
accounts-password          upgraded from 1.4.1 to 1.5.0
allow-deny                 upgraded from 1.0.9 to 1.1.0
appcache                   upgraded from 1.0.12 to 1.1.0
babel-compiler             upgraded from 6.20.0 to 6.24.7
babel-runtime              upgraded from 1.0.1 to 1.1.1
boilerplate-generator      upgraded from 1.2.0 to 1.3.0
ddp                        upgraded from 1.3.1 to 1.4.0
ddp-client                 upgraded from 2.1.3 to 2.2.0
ddp-common                 upgraded from 1.2.9 to 1.3.0
ddp-server                 upgraded from 2.0.2 to 2.1.0
dynamic-import             upgraded from 0.1.3 to 0.2.0
ecmascript                 upgraded from 0.8.3 to 0.9.0
ecmascript-runtime         upgraded from 0.4.1 to 0.5.0
ecmascript-runtime-client  upgraded from 0.4.3 to 0.5.0
ecmascript-runtime-server  upgraded from 0.4.1 to 0.5.0
ejson                      upgraded from 1.0.14 to 1.1.0
facebook-oauth             upgraded from 1.3.2 to 1.4.0
force-ssl                  upgraded from 1.0.15 to 1.1.0
force-ssl-common           upgraded from 1.0.15 to 1.1.0
http                       upgraded from 1.2.12 to 1.3.0
localstorage               upgraded from 1.1.1 to 1.2.0
logging                    upgraded from 1.1.17 to 1.1.19
meteor                     upgraded from 1.7.2 to 1.8.0
diff --git a/.meteor/packages b/.meteor/packages
index b8b6980..aca385f 100644
meteor-base                upgraded from 1.1.0 to 1.2.0
minimongo                  upgraded from 1.3.3 to 1.4.0
modules                    upgraded from 0.10.0 to 0.11.0
modules-runtime            upgraded from 0.8.0 to 0.9.0
mongo                      upgraded from 1.2.2 to 1.3.1
mongo-dev-server           upgraded from 1.0.1 to 1.1.0
npm-mongo                  upgraded from 2.2.31 to 2.2.33
oauth                      upgraded from 1.1.13 to 1.2.0
oauth2                     upgraded from 1.1.11 to 1.2.0
promise                    upgraded from 0.9.0 to 0.10.0
reactive-dict              upgraded from 1.1.9 to 1.2.0
shell-server               upgraded from 0.2.4 to 0.3.0
webapp                     upgraded from 1.3.19 to 1.4.0

[APP]: updated to Meteor 1.5.4.1.
  1. Ran meteor update mdg:meteor-apm-agent
  2. Results:
=> Errors while upgrading packages:

While selecting package versions:
error: Potentially incompatible change required to top-level dependency: accounts-password 1.4.2, was 1.5.0.
Constraints on package "accounts-password":
* accounts-password@1.4.0 <- top level
* accounts-password@~1.4.0 <- top level
* accounts-password@1.1.6 <- std:accounts-ui 1.2.23

To allow potentially incompatible changes to top-level dependencies, you must pass
--allow-incompatible-update on the command line.
  1. Ran meteor update mdg:meteor-apm-agent --allow-incompatible-update
  2. Results:
Changes to your project's package version selections from updating package versions:

accounts-base              downgraded from 1.4.0 to 1.3.6
accounts-facebook          downgraded from 1.3.0 to 1.2.1
accounts-google            downgraded from 1.3.0 to 1.2.0
accounts-password          downgraded from 1.5.0 to 1.4.2
allow-deny                 downgraded from 1.1.0 to 1.0.9
appcache                   downgraded from 1.1.0 to 1.0.12
babel-compiler             downgraded from 6.24.7 to 6.20.0
babel-runtime              downgraded from 1.1.1 to 1.0.1
boilerplate-generator      downgraded from 1.3.0 to 1.2.0
ddp                        downgraded from 1.4.0 to 1.3.1
ddp-client                 downgraded from 2.2.0 to 2.1.3
ddp-common                 downgraded from 1.3.0 to 1.2.9
ddp-server                 downgraded from 2.1.0 to 2.0.2
dynamic-import             downgraded from 0.2.0 to 0.1.3
ecmascript                 downgraded from 0.9.0 to 0.8.3
ecmascript-runtime         downgraded from 0.5.0 to 0.4.1
ecmascript-runtime-client  downgraded from 0.5.0 to 0.4.3
ecmascript-runtime-server  downgraded from 0.5.0 to 0.4.1
ejson                      downgraded from 1.1.0 to 1.0.14
facebook-oauth             downgraded from 1.4.0 to 1.3.2
force-ssl                  downgraded from 1.1.0 to 1.0.15
force-ssl-common           downgraded from 1.1.0 to 1.0.15
http                       downgraded from 1.3.0 to 1.2.12
localstorage               downgraded from 1.2.0 to 1.1.1
mdg:meteor-apm-agent       upgraded from 3.0.0 to 3.1.1
meteor                     downgraded from 1.8.0 to 1.7.2
meteor-base                downgraded from 1.2.0 to 1.1.0
minimongo                  downgraded from 1.4.0 to 1.3.3
modules                    downgraded from 0.11.0 to 0.10.0
modules-runtime            downgraded from 0.9.0 to 0.8.0
mongo                      downgraded from 1.3.1 to 1.2.3
mongo-dev-server           downgraded from 1.1.0 to 1.0.1
oauth                      downgraded from 1.2.0 to 1.1.13
oauth2                     downgraded from 1.2.0 to 1.1.11
promise                    downgraded from 0.10.0 to 0.9.0
reactive-dict              downgraded from 1.2.0 to 1.1.9
shell-server               downgraded from 0.3.0 to 0.2.4
webapp                     downgraded from 1.4.0 to 1.3.19

Thank you!

Can you confirm what the contents of your .meteor/release file are now?

I don’t see a reason for so many packages being downgraded, as most of those packages have nothing to do with mdg:meteor-apm-agent. Analyzing it more, in your first update block, where you mention:

Ran meteor update --patch: Upgraded from 1.5.2.2 => 1.5.4.1

This seems to yield version bumps which shouldn’t occur during an upgrade to 1.5.4.1. For example, the target versions (minimongo@1.4.0, babel-compiler@6.24.7, and so on—though I haven’t compared them all) were released with Meteor 1.6, not Meteor 1.5.4.1. Is it possible that you first upgraded to Meteor 1.6.x (maybe with just meteor update, instead of meteor update --patch)?

If your application is working and your .meteor/release file says METEOR@1.5.4.1, the versions you listed in the second block (where you see the variety of downgraded from messages) do look correct. For example, meteor-base@1.1.0 and meteor@1.7.2 were released with Meteor 1.5.4.1. And most importantly, you’re running mdg:meteor-apm-agent@3.1.1, so you’ve patched the vulnerability.

1 Like

Hi @abernix, thanks for the reply. I didn’t upgrade to 1.6 before and I only ran meteor update --patch so the version bumps seem quizzical. But yes, my .meteor/release file says METEOR@1.5.4.1 so if the downgraded packages seem fine to you, then I guess this is a pass in my books!

Anything else I should be concerned with regarding the version bumps?

Everything else looks okay to me!

1 Like

Perfect, thank you @abernix for your help!