cbcvebase.
CVE-2023-25076
published 2023-03-30

CVE-2023-25076: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
65.52%
99.2th percentile
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiansniproxy< sniproxy 0.6.0-2.1 (bookworm)sniproxy 0.6.0-2.1 (bookworm)
sniproxysniproxy
sniproxysniproxy
sniproxysniproxy>= 0 < 0.6.0-2+deb11u10.6.0-2+deb11u1
sniproxysniproxy>= 0 < 0.6.0-2.10.6.0-2.1
sniproxysniproxy>= 0 < 0.6.0-2.10.6.0-2.1
sniproxysniproxy>= 0 < 0.6.0-2.10.6.0-2.1
sniproxy_projectsniproxy
sniproxy_projectsniproxy

Detection & IOCsextracted from sources · hover to see the quote

versionSNIProxy 822bb80df9b7b345cc9eba55df74a07b498819ba
snort
61474
  • Exploitation requires wildcard backend hosts to be configured in SNIProxy; traffic targeting such configurations via specially crafted HTTP or TLS packets should be flagged.
  • Monitor for anomalous or oversized hostname fields in HTTP requests and TLS ClientHello SNI extensions directed at SNIProxy instances, as the buffer overflow is triggered via the hostname in the initial TCP session request.
  • ·The vulnerability is only exploitable when wildcard backend hosts are configured in SNIProxy; deployments not using wildcard backend hosts are not affected.
  • ·Snort rule 61474 may be updated as additional vulnerability information becomes available; always reference the latest rule from Cisco Secure Firewall Management Center or Snort.org.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.