CVE-2023-25076
published 2023-03-30CVE-2023-25076: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
65.52%
99.2th percentile
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sniproxy | < sniproxy 0.6.0-2.1 (bookworm) | sniproxy 0.6.0-2.1 (bookworm) |
| sniproxy | sniproxy | — | — |
| sniproxy | sniproxy | — | — |
| sniproxy | sniproxy | >= 0 < 0.6.0-2+deb11u1 | 0.6.0-2+deb11u1 |
| sniproxy | sniproxy | >= 0 < 0.6.0-2.1 | 0.6.0-2.1 |
| sniproxy | sniproxy | >= 0 < 0.6.0-2.1 | 0.6.0-2.1 |
| sniproxy | sniproxy | >= 0 < 0.6.0-2.1 | 0.6.0-2.1 |
| sniproxy_project | sniproxy | — | — |
| sniproxy_project | sniproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
61474
- →Exploitation requires wildcard backend hosts to be configured in SNIProxy; traffic targeting such configurations via specially crafted HTTP or TLS packets should be flagged. ↗
- →Monitor for anomalous or oversized hostname fields in HTTP requests and TLS ClientHello SNI extensions directed at SNIProxy instances, as the buffer overflow is triggered via the hostname in the initial TCP session request. ↗
- ·The vulnerability is only exploitable when wildcard backend hosts are configured in SNIProxy; deployments not using wildcard backend hosts are not affected. ↗
- ·Snort rule 61474 may be updated as additional vulnerability information becomes available; always reference the latest rule from Cisco Secure Firewall Management Center or Snort.org. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-25076: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0
osv·2023-03-30·CVSS 9.8
CVE-2023-25076 [CRITICAL] CVE-2023-25076: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.
GHSA
GHSA-fhgm-rvpq-xwx9: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0
ghsa_unreviewed·2023-03-30
CVE-2023-25076 [CRITICAL] CWE-120 GHSA-fhgm-rvpq-xwx9: A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.
Ubuntu
SNI Proxy vulnerability
vendor_ubuntu·2023-06-12
CVE-2023-25076 SNI Proxy vulnerability
Title: SNI Proxy vulnerability
Summary: SNI Proxy could be made to crash or run programs if it received specially
crafted input.
It was discovered that SNI Proxy did not properly handle wildcard backend
hosts. An attacker could possibly use this issue to cause a buffer overflow,
resulting in a denial of service, or arbitrary code execution.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-25076: sniproxy - A buffer overflow vulnerability exists in the handling of wildcard backend hosts...
vendor_debian·2023·CVSS 9.8
CVE-2023-25076 [CRITICAL] CVE-2023-25076: sniproxy - A buffer overflow vulnerability exists in the handling of wildcard backend hosts...
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 0.6.0-2.1)
bullseye: resolved (fixed in 0.6.0-2+deb11u1)
forky: resolved (fixed in 0.6.0-2.1)
sid: resolved (fixed in 0.6.0-2.1)
trixie: resolved (fixed in 0.6.0-2.1)
No detection rules found.
No public exploits indexed.
Checkpoint
3rd April – Threat Intelligence Report
blogs_checkpoint·2023-04-03·CVSS 7.8
CVE-2023-29059 [HIGH] 3rd April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd April, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company , were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loade
Talos
Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
blogs_talos·2023-03-30·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
Keane O’Kelley of Cisco ASIG discovered this vulnerability.
Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.
SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.
Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP or TLS packet to the target machine, potentially caus
Talos
Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
blogs_talos·2023-03-30·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
## Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability
Keane O’Kelley of Cisco ASIG discovered this vulnerability.
Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.
SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.
Talos discovered a remote code execution vulnerability ( TALOS-2023-1731 /CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by s
https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583https://lists.debian.org/debian-lts-announce/2023/04/msg00030.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2023-1731https://www.debian.org/security/2023/dsa-5413https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583https://lists.debian.org/debian-lts-announce/2023/04/msg00030.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2023-1731https://www.debian.org/security/2023/dsa-5413https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1731
2023-03-30
Published