A memory leak vulnerability, identified as CVE-2023-30637, has been discovered in Baidu-braft 1.1.2, a high-performance C++ implementation of Raft protocol library. This vulnerability is associated with the incorrect usage of the 'new' operator in the example/atomic/atomic_server source code file.

Please note that installations utilizing Baidu Remote Procedure Call (brpc) version .14. and later are not affected by this vulnerability.

In this post, we will discuss the details of this vulnerability, including code snippets and original references, as well as provide an exploit scenario.

Vulnerability Details

The improper use of the 'new' operator in the example/atomic/atomic_server file may result in a memory leak, potentially causing the server to crash or enabling adversaries to execute a Denial of Service (DoS) attack.

The susceptible code snippet in example/atomic/atomic_server file

NodeId* node_id = new NodeId();

Exploit Scenario

An attacker who is able to send multiple requests or trigger particular conditions to the affected atomic_server instance could repeatedly generate instances of the NodeId object. Each new object would cause the memory leak to grow. Over time, this could lead to available memory resources depletion on the server, causing it to crash or become unresponsive.

Mitigation

Users of Baidu-braft 1.1.2 can protect themselves from this vulnerability by upgrading to Baidu-braft library version that utilizes brpc .14. or later. This will immediately address the issue and prevent potential exploitation scenarios.

Alternatively, users can manually update the vulnerable code by employing a proper deletion technique for the 'new' operator in example/atomic/atomic_server. A correct implementation would include the use of a 'delete' statement, ensuring the previously allocated memory is released appropriately.

FYI, Baidu has been made aware of this issue and has stated that newer versions of Baidu Remote Procedure Call (brpc) are not affected, as they have addressed this vulnerability.

Original References

Title: 'braft: A C++ implementation of Raft protocol in the baidu-rpc framework'
Repo Link: https://github.com/apache/incubator-brpc/tree/braft

- Baidu Remote Procedure Call (brpc) .14.: https://github.com/apache/incubator-brpc/releases/tag/.14.
- Raft Protocol: https://raft.github.io/
- Baidu-braft Documentation: https://github.com/apache/incubator-brpc/blob/main/docs/cn/braft_user_guide.md

In conclusion, CVE-2023-30637 demonstrates the importance of properly handling memory allocation and deletion in C++ applications. Users of Baidu-braft 1.1.2 should update their library to a version with brpc .14. or later to avoid potential exploitation of this vulnerability. Additionally, developers should always be cautious and follow best practices when working with memory management in their code, as even minor oversights can lead to severe security implications.

Timeline

Published on: 04/13/2023 23:15:00 UTC
Last modified on: 04/24/2023 16:59:00 UTC