StarlingX

[Debian] High CVE: CVE-2024-24806 libuv1: Improper Domain Lookup that potentially leads to SSRF attacks

Bug #2057488 reported by Yue Tao on 2024-03-12

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Wentao Zhang

Bug Description

CVE-2024-24806: https://nvd.nist.gov/vuln/detail/CVE-2024-24806

libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Base Score: High

Reference:

['libuv1_1.40.0-2_amd64.deb===>libuv1_1.40.0-2+deb11u1_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5638-1

Tags:

CVE References

2024-24806

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-14: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/912908

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-15: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/912908
Committed: https://opendev.org/starlingx/tools/commit/c91b9dddce8603638dd71a9fc35ce56f23517cf5
Submitter: "Zuul (22348)"
Branch: master

commit c91b9dddce8603638dd71a9fc35ce56f23517cf5
Author: Wentao Zhang <email address hidden>
Date: Thu Mar 14 02:09:17 2024 -0700

Debian: libuv1: fix CVE-2024-24806

Upgrade libuv1 to 1.40.0-2+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-24806
    https://security-tracker.debian.org/tracker/DSA-5638-1

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2057488

Change-Id: If9a79c49b8c203054911d548c5b907c800a04477
Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2024-04-01:

Changing the target release to stx.10.0 since this only merged in the main branch after the r/stx.9.0 release branch was created (March 7) and the team doesn't port CVE fixes to released branches.

Changed in starlingx:
assignee:	nobody → Wentao Zhang (wzhang4)
tags:	added: stx.10.0 removed: stx.9.0

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.