CVE-2022-29354
📋 TL;DR
CVE-2022-29354 is an arbitrary file upload vulnerability in Keystone v4.2.1 that allows attackers to upload malicious files and execute arbitrary code on the server. This affects any system running the vulnerable Keystone version with the file upload module enabled. Attackers can achieve remote code execution by uploading crafted files.
💻 Affected Systems
- Keystone
📦 What is this software?
Keystone by Keystonejs
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment leading to persistent access, data theft, and potential ransomware deployment.
If Mitigated
File upload attempts blocked at the web application firewall level with no successful exploitation.
🎯 Exploit Status
The vulnerability is straightforward to exploit - attackers simply need to craft a malicious file and upload it through the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.2.2 or later
Vendor Advisory: https://github.com/keystonejs/keystone/releases/tag/v4.2.2
Restart Required: Yes
Instructions:
1. Backup your Keystone database and configuration. 2. Update Keystone to version 4.2.2 or later using npm: 'npm update keystone@4.2.2'. 3. Restart the Keystone application service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable file upload module
allTemporarily disable the vulnerable file upload functionality until patching is possible.
Comment out or remove file upload routes in your Keystone configuration
Implement file type validation
allAdd strict file type validation to only allow specific safe file extensions.
Implement server-side validation to only accept .jpg, .png, .pdf, etc.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with rules to block malicious file uploads
- Isolate the Keystone instance in a DMZ with strict network segmentation
🔍 How to Verify
Check if Vulnerable:
Check your Keystone version in package.json or via 'npm list keystone'. If version is exactly 4.2.1 and file upload module is enabled, you are vulnerable.Check Version:
npm list keystone | grep keystoneVerify Fix Applied:
After updating, verify version is 4.2.2 or later using 'npm list keystone'. Test file upload functionality with various file types to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with suspicious extensions (.php, .jsp, .asp)
- Multiple failed upload attempts followed by successful upload
- Webshell access patterns in access logs
Network Indicators:
- POST requests to file upload endpoints with unusual payloads
- Outbound connections from the Keystone server to unknown IPs
SIEM Query:
source="keystone.log" AND ("file upload" OR "upload") AND (status=200 OR status=201) AND (extension="php" OR extension="jsp" OR extension="asp")