Exploit
CVE-2023-29406

Interpretation Conflict (CWE-436)

Published: Jul 11, 2023 / Updated: 16mo ago

010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

Impact

This vulnerability allows an attacker to perform HTTP request splitting or HTTP response splitting attacks. These attacks can lead to: 1. Header injection: Attackers can inject additional headers into the request, potentially bypassing security controls or manipulating the server's behavior. 2. Request smuggling: Entire malicious requests can be injected, potentially leading to cache poisoning, unauthorized access, or execution of unintended actions on the server. 3. Data integrity compromise: The ability to modify requests can lead to tampering with the integrity of data being sent to the server. The CVSS v3.1 base score is 6.5 (Medium severity), with high impact on integrity, but no direct impact on confidentiality or availability. The attack vector is network-based, requires low attack complexity, and no privileges, but does require user interaction.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in multiple sources: 1. Red Hat: A patch is available via Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=2222167) 2. Go language: - Fix implemented: https://go.dev/cl/506996 - Vulnerability details: https://pkg.go.dev/vuln/GO-2023-1878 - Issue tracker: https://go.dev/issue/60374 3. Oracle: A patch is included in the October 2023 Linux Bulletin (https://www.oracle.com/security-alerts/linuxbulletinoct2023.html) The security team should prioritize applying these patches, especially for systems using the Go language HTTP/1 client in network-facing applications.

Mitigation

To mitigate this vulnerability: 1. Apply the available patches as soon as possible, prioritizing systems that use the Go language HTTP/1 client, especially in network-facing applications. 2. If immediate patching is not possible, consider implementing the following temporary measures: a. Use a reverse proxy or WAF (Web Application Firewall) to validate and sanitize HTTP headers before they reach the vulnerable application. b. Implement strict input validation for all incoming HTTP requests, particularly focusing on the Host header. c. Monitor and log any suspicious activity related to HTTP header manipulation or unexpected request behavior. 3. Conduct a thorough review of applications using the Go HTTP/1 client to identify any potential exploitation attempts. 4. Consider using the latest version of Go that includes the fix for this vulnerability in all new and updated projects. 5. Educate developers about the importance of proper header validation and the risks associated with HTTP request/response splitting attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2023-29406. See article

Jul 11, 2023 at 5:19 PM / groups.google.com
Vendor Advisory

RedHat released a security advisory (RHSA-2023:5935).

Oct 19, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:5976).

Oct 20, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:6031).

Oct 23, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:6085).

Oct 24, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:6115).

Oct 25, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:5933).

Oct 26, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:6161).

Oct 30, 2023 at 8:00 AM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:6296).

Nov 2, 2023 at 8:00 AM
Static CVE Timeline Graph

Affected Systems

Golang/go
+null more

Exploits

https://github.com/LuizGustavoP/EP3_Redes
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-105: HTTP Request Splitting
+null more

Vendor Advisory

Oracle Linux Bulletin - October 2023
Oracle Id: linuxbulletinoct2023 Release Date: 2023-10-17 Update Date: 2023-12-19 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Revision: 3 Published on 2023-12-19 CVE-2023-46847 CVSS Base Score :9.9 CVSS Vector :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H Product :

References

SUSE update for etcd
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet. The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

News

ubuntu_linux USN-7109-1: Ubuntu 16.04 LTS / Ubuntu 18.04 LTS / Ubuntu 20.04 LTS / Ubuntu 22.04 LTS : Go vulnerabilities (USN-7109-1)
Development Last Updated: 11/14/2024 CVEs: CVE-2023-29403 , CVE-2023-29402 , CVE-2023-39319 , CVE-2023-29405 , CVE-2024-24784 , CVE-2024-24789 , CVE-2023-45290 , CVE-2024-34158 , CVE-2023-29404 , CVE-2023-24536 , CVE-2023-45288 , CVE-2024-34156 , CVE-2024-24790 , CVE-2024-24785 , CVE-2023-39318 , CVE-2022-41723 , CVE-2024-34155 , CVE-2023-39325 , CVE-2022-41725 , CVE-2023-24531 , CVE-2022-41724 , CVE-2024-24783 , CVE-2024-24791 , CVE-2023-39323 , CVE-2023-29406
USN-7109-1: Go vulnerabilities
(CVE-2023-24536) Juho Nurminen discovered that Go incorrectly handled certain special characters in directory or file paths. (CVE-2023-29403) Juho Nurminen discovered that Go incorrectly handled certain compiler directives.
openSUSE 15 Security Update : etcd (SUSE-SU-2024:3656-1)
The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3656-1 advisory. Update to version 3.5.12: Security fixes: - CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897) - CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898) - CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899) - CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850) - CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951) - CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951) - CVE-2021-28235:
openSUSE 15 Security Update : etcd (SUSE-SU-2024:3656-1)
The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3656-1 advisory. The remote openSUSE host is missing one or more security updates.
suse_linux SUSE-SU-2024:3656-1: SUSE openSUSE 15 : Security update for etcd (Moderate) (SUSE-SU-2024:3656-1)
Development Last Updated: 10/17/2024 CVEs: CVE-2018-16886 , CVE-2018-16873 , CVE-2020-15106 , CVE-2023-48795 , CVE-2021-28235 , CVE-2023-47108 , CVE-2018-16874 , CVE-2018-16875 , CVE-2022-41723 , CVE-2023-29406 , CVE-2020-15112
See 270 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI