CVE-2022-32223 Detection: New Vulnerability in Node.js

Researchers discovered that Node.js, an open source server environment, is susceptible to dynamic link library (DLL) hijacking if OpenSSL is installed on the target. The affected versions include all of the 16.x, and 14.x releases lines.

Detect CVE-2022-32223

To timely identify possible system breaches through the exploitation of the CVE-2022-32223 flaw, download a Sigma rule developed by seasoned Threat Bounty developer Sittikorn Sangrattanapitak:

Possible DLL Search Order Hijacking [CVE-2022-32223] via npm CLI (via imageload)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Snowflake, Carbon Black, Securonix, and Open Distro.

The rule is aligned with MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Hijack Execution Flow as the main technique (T1574).

Unravel your threat hunting potential with the world’s largest and most advanced platform for collaborative cyber defense that accumulates 200,000+ context enriched detections, used by 7,000+ organizations and 28,000+ users. The content is developed by 600 Threat Bounty Program researchers and threat hunters, who actively contribute their Sigma and YARA rules to the SOC Prime Platform. Hit the Detect & Hunt button to learn more about available access options.

Leverage the biggest repository of Sigma rules enriched with comprehensive contextual information on cyber threats accessible via the industry-first search engine for Threat Hunting, Threat Detection, and Cyber Threat Intelligence. Press the Explore Threat Context button to learn more.

Detect & Hunt Explore Threat Context

CVE-2022-32223 Description

Researchers from Aqua Security have recently released a threat alert, indicating that Node.js users can be affected by a security hole that was assigned CVE-2022-32223. For the vulnerability to be exploited, the host must have two dependencies on their Windows devices: an installed OpenSSL and existing “C:\Program Files\Common Files\SSL\openssl.cnf”.

Attackers can compel a service to use a malicious DLL instead of the legitimate DLL that is anticipated if they take over one of the directories. The attack enables adversaries to escalate their privileges and establish persistence within a compromised environment.

The vulnerability was deemed to be of high severity and is now patched by the vendor. All users are therefore urged to install the latest updates.

Utilize high-fidelity alerts to identify critical security gaps for deep-dive threat investigation, at scale, with The Smoking Guns Sigma Rules list provided by SOC Prime.