Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability

Thursday, March 30, 2023 10:03

Keane O’Kelley of Cisco ASIG discovered this vulnerability.

Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.

SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.

Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: SNIProxy version 0.6.0-2 and SNIProxy Master, version 822bb80df9b7b345cc9eba55df74a07b498819ba. Talos tested and confirmed these versions of the open-source tool could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:
61474. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.