CVE-2023-25076: Critical Buffer Overflow Vulnerability in SNIProxy
Security vulnerabilities pose a constant challenge to software developers and organizations alike. The recently discovered CVE-2023-25076, a critical buffer overflow vulnerability in SNIProxy, has raised concerns among those relying on the open-source application.
SNIProxy
SNIProxy is an open-source application that reverses proxies HTTP and TLS connections based on the requested hostname. Distributed via package managers on several Linux distributions, SNIProxy is widely used for its efficient handling of connections. However, recent findings have revealed a significant vulnerability in its code that could lead to remote code execution or denial of service.
Image: skylime
CVE-2023-25076 (CVSS score of 9.8) – The buffer overflow Vulnerability
When wildcard backend hosts are used in SNIProxy configuration, an attacker can exploit the buffer overflow vulnerability by sending a crafted HTTP, TLS, or DTLS packet. This issue affects the latest version on GitHub, the 0.6.0-2 Debian package, and potentially several forks of the original repository.
How the Vulnerability Occurs
The new_address() function in SNIProxy is responsible for parsing addresses and hostnames, usually obtained from the HTTP Host header or a TLS server name indication (SNI) extension header. SNIProxy does not utilize external libraries for parsing TLS header values, leading to the possibility of parsing longer values than usual.
The buffer overflow arises in the new_address() function when parsing IPv6 address strings. The source length, rather than the destination length, is used in a string copy when copying into a stack buffer of size 262. This results in the strncpy call overflowing the ip_buf buffer and causing a stack buffer overflow.
Mitigation Strategy:
To address this critical vulnerability, a patch has been suggested for the affected code in the new_address() function in address.c. The patch prevents the string copy from overflowing the destination and ensures that the resultant buffer is null-terminated:
