CVE-2024-24806: Critical SSRF Flaw Found in libuv – a Multi-Platform C Library

libuv is one such thread, a versatile C library that underpins the asynchronous heartbeat of applications far and wide, from the bustling event loops of Node.js to the quiet efficiency of various software projects. Its capability to bridge diverse I/O mechanisms – epoll, kqueue, Windows IOCP, Solaris event ports, and Linux io_uring – has made it a top choice in the realm of asynchronous operations. Yet, even giants have their Achilles’ heel, as revealed by the discovery of CVE-2024-24806.

CVE-2024-24806, with a CVSS score of 7.3, exposes a server-side request forgery (SSRF) vulnerability within the very core of libuv, specifically within its `uv_getaddrinfo` function. This function, tasked with the translation of hostnames to addresses, falters in its handling of hostnames exceeding 256 characters. The truncation of these hostnames, intended as a safeguard, inadvertently becomes a trojan horse, allowing attackers to craft payloads that veer off the intended path, resolving to IP addresses that lay bare the internal workings of an application.

This vulnerability, present in versions beyond 1.45.x and addressed in version v1.48.0, hinges on the precarious manipulation of the `hostname_ascii` variable. The flaw’s essence lies not in the act of truncation itself but in the omission of a terminating null byte, creating a scenario ripe for exploitation under varying build and runtime environments. The implications are as diverse as they are alarming:

  1. A False Sense of Security: In certain Node.js builds, such as those accompanying Kali Linux distributions, the memory adjacent to the truncated hostname conveniently harbors a null byte, unwittingly rendering the malformed hostname valid.
  2. A Game of Chance: Other environments present a scenario where the hostname’s final byte, by some quirk of fate, aligns with a subsequent null byte, creating a predictable pattern that can be brute-forced, especially in the production environments running parallel Node.js instances.
  3. A Narrow Window: The randomness of the last byte, in certain cases, aligns with hexadecimal characters, opening a sliver of opportunity for targeting localhost addresses or other specific IP ranges, effectively sidestepping internal security protocols.

The implications of CVE-2024-24806 stretch far beyond the confines of technical jargon, manifesting in real-world scenarios that underscore the vulnerability’s severity:

  • Internal API Exposure: In the orchestrated dance of Kubernetes pods, this flaw potentially allows unauthorized access to internal APIs.
  • SSRF Attack Vector: The vulnerability crafts a launching pad for SSRF attacks, exploiting the trust placed in internal services to crawl or cache user-generated content.