📄 Description (English)
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
🤖 AI Executive Summary
Hashgraph Guardian versions up to 3.5.0 contain a critical unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code and access sensitive credentials including RSA private keys and JWT signing keys. This vulnerability enables privilege escalation to administrator accounts and complete compromise of Guardian deployments. No patch is currently available, requiring immediate compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 09:43
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations utilizing Hashgraph Guardian for regulatory compliance, supply chain management, or digital identity systems face critical risk. Primary impact sectors include: (1) SAMA-regulated financial institutions using Guardian for blockchain-based settlement and compliance reporting; (2) Government entities (NCA, CITC) deploying Guardian for digital transformation and e-governance; (3) Healthcare sector using Guardian for medical records and pharmaceutical supply chain tracking; (4) Energy sector (ARAMCO, SEC) leveraging Guardian for asset management and compliance; (5) Telecom operators (STC, Mobily) implementing Guardian for identity verification and regulatory reporting. Compromise enables credential theft, unauthorized policy modifications, and complete loss of system integrity.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA, CITC)
Healthcare and Pharmaceuticals
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily)
Supply Chain and Logistics
Digital Identity and E-Governance
🎯 MITRE ATT&CK Techniques
T1059.007 - Command and Scripting Interpreter: JavaScript/Node.js
T1190 - Exploit Public-Facing Application
T1110 - Brute Force
T1555 - Credentials from Password Stores
T1552.001 - Unsecured Credentials: Credentials In Files
T1552.007 - Unsecured Credentials: Container API
T1134.005 - Access Token Manipulation: Token Impersonation/Theft
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1087 - Account Discovery
T1078 - Valid Accounts
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Standard Registry user accounts with access to Custom Logic policy blocks and review their recent activities
2. Disable or restrict access to Custom Logic policy block functionality until patch is available
3. Implement network segmentation to limit Guardian instance access to trusted networks only
4. Rotate all sensitive credentials (RSA private keys, JWT signing keys, API tokens) stored in Guardian environment variables
5. Review and revoke any suspicious authentication tokens issued during the vulnerability window
COMPENSATING CONTROLS:
6. Implement strict input validation and sanitization for all policy block parameters
7. Deploy Web Application Firewall (WAF) rules to detect and block suspicious JavaScript patterns in policy submissions
8. Enable comprehensive audit logging for all policy block executions with real-time alerting
9. Implement role-based access control (RBAC) to restrict Custom Logic policy block access to minimal required users
10. Deploy container runtime security monitoring to detect unauthorized file access and process execution
11. Use secrets management solutions (HashiCorp Vault, AWS Secrets Manager) instead of environment variables for credential storage
12. Implement network policies to restrict outbound connections from Guardian containers
DETECTION RULES:
13. Monitor for Function() constructor usage in policy submissions
14. Alert on require() or import statements attempting to load native Node.js modules
15. Track access to /proc/self/environ and filesystem paths containing credentials
16. Monitor for JWT token generation outside normal authentication flows
17. Implement YARA rules to detect obfuscated JavaScript patterns in policy blocks
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع حسابات مستخدمي Standard Registry التي لديها وصول إلى كتل Custom Logic policy ومراجعة أنشطتهم الأخيرة
2. تعطيل أو تقييد الوصول إلى وظيفة Custom Logic policy block حتى يتوفر التصحيح
3. تطبيق تقسيم الشبكة لتحديد وصول نسخة Guardian إلى الشبكات الموثوقة فقط
4. تدوير جميع بيانات الاعتماد الحساسة (مفاتيح RSA الخاصة، مفاتيح توقيع JWT، رموز API) المخزنة في متغيرات بيئة Guardian
5. مراجعة وإلغاء أي رموز مصادقة مريبة صادرة خلال نافذة الثغرة
الضوابط التعويضية:
6. تطبيق التحقق من صحة المدخلات والتطهير الصارم لجميع معاملات كتل السياسة
7. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط JavaScript المريبة وحجبها
8. تفعيل تسجيل التدقيق الشامل لجميع عمليات تنفيذ كتل السياسة مع التنبيهات في الوقت الفعلي
9. تطبيق التحكم في الوصول القائم على الأدوار (RBAC) لتقييد وصول Custom Logic policy block للمستخدمين الضروريين فقط
10. نشر مراقبة أمان وقت تشغيل الحاوية للكشف عن الوصول غير المصرح إلى الملفات وتنفيذ العمليات
11. استخدام حلول إدارة الأسرار (HashiCorp Vault، AWS Secrets Manager) بدلاً من متغيرات البيئة لتخزين بيانات الاعتماد
12. تطبيق سياسات الشبكة لتقييد الاتصالات الصادرة من حاويات Guardian
قواعد الكشف:
13. مراقبة استخدام منشئ Function() في عمليات إرسال السياسة
14. التنبيه على عبارات require() أو import التي تحاول تحميل وحدات Node.js الأصلية
15. تتبع الوصول إلى /proc/self/environ ومسارات نظام الملفات التي تحتوي على بيانات اعتماد
16. مراقبة توليد رموز JWT خارج تدفقات المصادقة العادية
17. تطبيق قواعد YARA للكشف عن أنماط JavaScript المشفرة في كتل السياسة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control and Authentication
ECC 2024 A.5.2.1 - User Access Management
ECC 2024 A.6.1.1 - Cryptographic Controls
ECC 2024 A.8.1.1 - Audit and Accountability
ECC 2024 A.8.2.1 - System Monitoring and Logging
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software, hardware, and firmware inventory
SAMA CSF PR.AC-1 - Identities and credentials are issued and managed
SAMA CSF PR.AC-4 - Access rights are managed
SAMA CSF DE.CM-1 - The network is monitored for unauthorized connections
SAMA CSF DE.CM-3 - Personnel activity is monitored
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User access management
ISO 27001:2022 A.5.3 - Access control
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Restrict access to system components
PCI DSS 6.5.1 - Injection flaws
PCI DSS 7.1 - Limit access to system components
PCI DSS 10.2 - Implement automated audit trails