# [CRIT] Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & CVE-2023-46133) **Source:** Snyk **Published:** 2023-10-25 **Article:** https://snyk.io/blog/weak-hash-vulnerability-crypto-js-crypto-es/ ## Threat Profile Snyk Blog In this article Written by Jamie Smith October 25, 2023 0 mins read On October 18, security researcher Zemnmez began the process of responsibly disclosing a "Use of Weak Hash" vulnerability that they found in crypto-js , an open source JavaScript library of crypto standards, for which maintenance has been discontinued. The vulnerability also impacts the crypto-es package (for ES6 and TypeScript), and the researcher has opened a similar issue requesting that the maintainers enable priv… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2023-46233` - **CVE:** `CVE-2023-46133` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1552.001** — Unsecured Credentials: Credentials In Files - **T1110.002** — Brute Force: Password Cracking ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Assets running vulnerable crypto-js (<4.2.0) or crypto-es (<2.1.0) — CVE-2023-46233 / CVE-2023-46133 `UC_1349_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where (Vulnerabilities.signature IN ("CVE-2023-46233","CVE-2023-46133") OR Vulnerabilities.cve IN ("CVE-2023-46233","CVE-2023-46133")) by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.severity Vulnerabilities.category Vulnerabilities.vendor_product | `drop_dm_object_name(Vulnerabilities)` | eval package=case(signature=="CVE-2023-46233","crypto-js (<4.2.0)", signature=="CVE-2023-46133","crypto-es (<2.1.0)", true(),"unknown") | convert ctime(firstTime) ctime(lastTime) | sort - lastTime ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2023-46233", "CVE-2023-46133") | where SoftwareName has_any ("crypto-js", "crypto-es") | extend FixedVersion = iff(CveId == "CVE-2023-46233", "4.2.0", "2.1.0") | join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, DeviceCategory, OSPlatform, PublicIP, LoggedOnUsers) by DeviceId) on DeviceId | project Timestamp, DeviceName, DeviceId, OSPlatform, SoftwareVendor, SoftwareName, InstalledVersion=SoftwareVersion, CveId, FixedVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LoggedOnUsers | order by Timestamp desc ``` ### Article-specific behavioural hunt — Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & `UC_1349_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("node.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("node.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2023-46233`, `CVE-2023-46133` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.