Headline
Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.
Thursday, March 30, 2023 10:03
Keane O’Kelley of Cisco ASIG discovered this vulnerability.
Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.
SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.
Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.
Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.
Users are encouraged to update these affected products as soon as possible: SNIProxy version 0.6.0-2 and SNIProxy Master, version 822bb80df9b7b345cc9eba55df74a07b498819ba. Talos tested and confirmed these versions of the open-source tool could be exploited by this vulnerability.
The following Snort rule will detect exploitation attempts against this vulnerability:
61474. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.
Related news
Ubuntu Security Notice 6148-1 - It was discovered that SNI Proxy did not properly handle wildcard backend hosts. An attacker could possibly use this issue to cause a buffer overflow, resulting in a denial of service, or arbitrary code execution.
Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.