CVE-2024-1300: Memory Leak Vulnerability in Eclipse Vert.x TCP Servers with TLS and SNI Support

A critical vulnerability, dubbed CVE-2024-1300, has been discovered in the Eclipse Vert.x toolkit, leading to potential memory leaks in TCP servers configured with Transport Layer Security (TLS) and Server Name Indication (SNI) support. This vulnerability occurs when a server processes an unknown SNI server name and assigns the default certificate to it, rather than a mapped one. As a result, the Secure Sockets Layer (SSL) context is mistakenly cached in the server name map, causing memory exhaustion. This flaw enables attackers to send TLS client hello messages with fabricated server names, ultimately initiating a Java Virtual Machine (JVM) out-of-memory error that can crash the server or degrade performance.

In this long-read post, we will delve into the nature of this vulnerability, including code snippets, links to original references, and exploit details.

A typical configuration of a Vert.x TCP server using TLS and SNI support is shown below

import io.vertx.core.Vertx;
import io.vertx.core.http.HttpServer;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.net.JksOptions;
import io.vertx.core.net.PfxOptions;

public class VulnerableServer {

  public static void main(String[] args) {
    Vertx vertx = Vertx.vertx();
    HttpServerOptions options = new HttpServerOptions();
    options.setSsl(true);
    options.setSni(true);
    options.setPfxKeyCertOptions(new PfxOptions().setPath("path/to/certificate.p12").setPassword("secret"));

    HttpServer server = vertx.createHttpServer(options);
    server.requestHandler(request -> {
      // Process request as usual
    }).listen(808);
  }

}

The vulnerability arises due to the server's incorrect handling of unrecognized SNI names. The problematic code can be found in the MappedSniSslEngine class:

private SSLEngine getDelegate(String serverName) {
  if (serverName == null) {
    return defaultSslEngineManager.get();
  }
  SSLEngine engine = sniSslEngineMap.get(serverName);
  if (engine == null) {
    engine = defaultSslEngineManager.get();
    sniSslEngineMap.put(serverName, engine); // This line causes the memory leak
  }
  return engine;
}

Original References

The vulnerability was originally reported by {insert name} and is documented in the following sources:

- Eclipse Vert.x GitHub issue #3415
- Eclipse Vert.x change log
- CVE-2024-1300 on the MITRE CVE List

Exploit Details

To exploit this vulnerability, an attacker could craft a series of TLS client hello messages containing fake server names. Upon sending these messages to the targeted server, its memory usage would incrementally increase, as the SSL context is erroneously cached in the server name map. By persistently sending requests with various fabricated server names, the attacker could trigger a JVM out-of-memory error, thereby causing the server to crash or suffer performance degradation.

Mitigation

To prevent this security flaw from being exploited, users should update to version [INSERT_PATCHED_VERSION] or later of the Eclipse Vert.x toolkit. This release includes a fix for the vulnerability, ensuring proper server name mappings and preventing memory leaks in TCP servers configured with TLS and SNI support.

In conclusion, CVE-2024-1300 is a severe vulnerability affecting the Eclipse Vert.x toolkit's handling of SNI server names and TLS connections. To protect your server from potential attacks and memory leaks, it is crucial to update your toolkit to the latest patched version and apply proper security measures when implementing TLS and SNI support.

Timeline

Published on: 04/02/2024 08:15:53 UTC
Last modified on: 04/18/2024 17:15:48 UTC