CVE-2019-10777 – CVE-2019-10777 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2019-10777?

CVE-2019-10777 has a CVSS score of 9.8 (CRITICAL). CVE-2019-10777 is a command injection vulnerability in the aws-lambda npm package where unsanitized user input in config.FunctionName is passed to exec() function, allowing arbitrary command execution. This affects applications using vulnerable versions of aws-lambda to deploy AWS Lambda functions. Attackers can execute commands on the host system with the privileges of the aws-lambda process.

📋 TL;DR

CVE-2019-10777 is a command injection vulnerability in the aws-lambda npm package where unsanitized user input in config.FunctionName is passed to exec() function, allowing arbitrary command execution. This affects applications using vulnerable versions of aws-lambda to deploy AWS Lambda functions. Attackers can execute commands on the host system with the privileges of the aws-lambda process.

💻 Affected Systems

Products:

aws-lambda npm package

Versions: All versions prior to 1.0.5

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using the package's deployment functionality with user-controlled function names.

📦 What is this software?

Aws Lambda by Amazon

View all CVEs affecting Aws Lambda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining shell access and executing arbitrary commands with the privileges of the aws-lambda process, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to deploy malicious Lambda functions, access AWS credentials, or compromise the deployment server.

🟢

If Mitigated

Limited impact if proper input validation and sanitization are implemented, restricting attackers to controlled function deployment only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control the FunctionName parameter, which typically requires some level of access to the deployment system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.5

Vendor Advisory: https://github.com/serverless/aws-lambda/security/advisories/GHSA-4q6p-66m7-44mh

Restart Required: No

Instructions:

1. Update aws-lambda package to version 1.0.5 or later using 'npm update aws-lambda'. 2. Verify the update with 'npm list aws-lambda'. 3. Test Lambda deployment functionality.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for FunctionName parameter to only allow alphanumeric characters and hyphens.

Restrict User Input

all

Ensure FunctionName values are not derived from user-controlled sources without proper sanitization.

🧯 If You Can't Patch

Implement strict input validation to only allow alphanumeric characters and hyphens in FunctionName parameter
Run aws-lambda process with minimal privileges and in isolated containers

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list aws-lambda' to see if version is below 1.0.5

Check Version:

npm list aws-lambda | grep aws-lambda

Verify Fix Applied:

Confirm aws-lambda version is 1.0.5 or higher with 'npm list aws-lambda'

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Unexpected Lambda function deployments
Suspicious shell commands in deployment logs

Network Indicators:

Unexpected outbound connections from deployment server
Unusual AWS API calls

SIEM Query:

source="application_logs" AND ("exec(" OR "zipCmd" OR "FunctionName") AND suspicious_pattern

📊 Metadata

CVE ID: CVE-2019-10777

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 8, 2020

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-AWSLAMBDA-540839 Third Party Advisory
https://snyk.io/vuln/SNYK-JS-AWSLAMBDA-540839 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10777, you might also want to check these: