CVE-2023-2253 - Uncontrolled resource consumption and potential Denial of Service in distribution/distribution `/v2/_catalog` endpoint

A newly discovered vulnerability, designated as CVE-2023-2253, has come to light in the popular open-source project, distribution/distribution. This could potentially allow an attacker to cause a denial of service, crippling applications and services that rely upon this software. The vulnerability resides in the /v2/_catalog endpoint and it stems from an uncontrolled allocation of a large amount of memory.

Severity: High

Affected Version: distribution/distribution at least up to version X.X.X

Exploit Details

The /v2/_catalog endpoint is used to list all repositories in a registry and accepts a parameter n (passed as a query string) that limits the maximum number of records returned. The problem arises when this parameter is not properly validated and can be submitted with an excessively large value. As a result, the software allocates a large string array, potentially leading to memory exhaustion and causing a denial of service.

Here's an example of how the code snippet may look like

func getCatalogHandler(w http.ResponseWriter, r *http.Request) {
    repos := someFuncToGetAllTheRepos()

    // Vulnerable code:
    n, err := strconv.Atoi(r.URL.Query().Get("n"))
    if err != nil || n <  {
        n = defaultMaxRecords
    }

    // Allocating large string array
    results := make([]string, n)
    max := 
    for _, repo := range repos {
        results[max] = repo
        max++
        if max >= n {
            break
        }
    }

    if err := json.NewEncoder(w).Encode(results); err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
    }
}

As you can see, a malicious user can pass a sufficiently large value of n to potentially consume excessive memory resources. This can be exploited by simply submitting a GET request:

GET /v2/_catalog?n=100000000000

Original References

1. Distribution/ Distribution GitHub Repository
2. Issue #XYZ on the github/distribution
3. CVE-2023-2253 Vulnerability Details

Mitigation

The maintainers of the distribution/distribution project are aware of the vulnerability and have been working on a patch. Until a fix is officially released, it is advisable to apply the following workaround:

n = defaultMaxRecords

}

Conclusion

The CVE-2023-2253 vulnerability poses a significant risk to users of the distribution/distribution software. It is urgent that developers who maintain applications or services relying on this software apply the suggested mitigation steps and update to the patched version as soon as it is available. As is often the case in such situations, the best defense against vulnerabilities is to closely follow security practices, promptly apply patches, and be proactive about monitoring your application infrastructure for potential threats.

Timeline

Published on: 06/06/2023 20:15:00 UTC
Last modified on: 06/13/2023 19:09:00 UTC