Introduction: Netty is an asynchronous event-driven network application framework designed for the rapid development of maintainable high-performance protocol servers and clients. It is widely used in applications that need to handle a large number of simultaneous connections with minimal overhead. One of Netty's features is its support for TLS/SSL encryption through the use of the SniHandler class.

The vulnerability: The SniHandler class in Netty can allocate up to 16MB of heap memory for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be exploited to make a TCP server using the SniHandler allocate a large amount of heap memory. This allocation, in turn, can lead to potential denial of service attacks if not properly handled.

Details: The SniHandler class is a handler that waits for the TLS handshake to configure an SslHandler according to the server name indicated by the ClientHello record. During this process, it allocates a ByteBuf using the value defined in the ClientHello record. Ideally, the value of this packet should be smaller than the handshake packet, but no checks are performed here for the allocation, and the code is written in such a way that it is possible to craft a packet that makes the SslClientHelloHandler allocate a large buffer.

Here's a code snippet that demonstrates the issue

//...
private static final int MAX_SSL_RECORD_SIZE = 16 * 1024 + 1024;

//...

@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
    ByteBuf buffer = (ByteBuf) msg;
    int size = buffer.readableBytes();
    if (size == ) {
        return;
    }

    ByteBuf byteBuf = ctx.alloc().buffer(size + MAX_SSL_RECORD_SIZE);
    byteBuf.writeBytes(buffer, buffer.readerIndex(), size);

    buffer.release();

    //Rest of the code...
}
//...

In this code snippet, the size of the buffer allocated is determined by the size of the incoming msg, which can be a maliciously crafted packet designed to trigger the allocation of significant amounts of heap memory.

Exploit: The vulnerability can be exploited by an attacker who can establish connections with the server and send specially crafted ClientHello messages that indicate a large server name value. This will cause the server to allocate a large ByteBuf and potentially exhaust the server's memory resources, eventually leading to a denial of service.

Mitigation: This vulnerability has been fixed in Netty version 4.1.94.Final. Users are advised to upgrade to this version or later versions to address the issue.

Original references

- Netty GitHub repository: https://github.com/netty/netty
- Netty release history: https://netty.io/news/index.html
- CVE-2023-34462 vulnerability details: https://example.com/cve-2023-34462/vulnerability-details

Conclusion: The CVE-2023-34462 vulnerability in Netty's SniHandler is a critical issue that may lead to denial of service attacks for applications using the impacted Netty versions. It is essential to upgrade to version 4.1.94.Final or later to ensure protection against potential exploits targeting this vulnerability.

Timeline

Published on: 06/22/2023 23:15:00 UTC
Last modified on: 08/03/2023 15:15:00 UTC