CVE-2021-38614 – CVE-2021-38614 is a heap-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2021-38614?

CVE-2021-38614 has a CVSS score of 7.5 (HIGH). CVE-2021-38614 is a heap-based buffer overflow vulnerability in Polipo caching proxy server versions through 1.1.1 when compiled with NDEBUG flag. Attackers can exploit this by sending specially crafted Range headers to potentially execute arbitrary code or crash the service. This primarily affects legacy deployments since Polipo is no longer maintained.

📋 TL;DR

CVE-2021-38614 is a heap-based buffer overflow vulnerability in Polipo caching proxy server versions through 1.1.1 when compiled with NDEBUG flag. Attackers can exploit this by sending specially crafted Range headers to potentially execute arbitrary code or crash the service. This primarily affects legacy deployments since Polipo is no longer maintained.

💻 Affected Systems

Products:

Polipo

Versions: All versions through 1.1.1 when compiled with NDEBUG

Operating Systems: All operating systems running Polipo

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds with NDEBUG flag; many distributions may not use this compilation option.

📦 What is this software?

Polipo by Polipo Project

View all CVEs affecting Polipo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Service crash causing denial of service and potential information disclosure through memory dumps.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal exposure, potentially just service disruption.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication.

🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access to Polipo instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed HTTP Range headers; proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - project is abandoned

Vendor Advisory: https://www.openwall.com/lists/oss-security/2021/07/28/2

Restart Required: No

Instructions:

No official patch exists. Recommended action is to migrate to alternative software like Squid or Varnish.

🔧 Temporary Workarounds

Disable Range header processing

all

Configure Polipo to reject or ignore Range headers

Add 'disableRange = true' to polipo config file

Recompile without NDEBUG

linux

Rebuild Polipo without the problematic compilation flag

make clean
make
make install

🧯 If You Can't Patch

Replace Polipo with maintained alternative caching proxy
Implement network controls to restrict access to Polipo instances

🔍 How to Verify

Check if Vulnerable:

Check if Polipo version is ≤1.1.1 and was compiled with NDEBUG flag

Check Version:

polipo -v

Verify Fix Applied:

Verify Polipo is no longer in use or has been replaced with alternative software

📡 Detection & Monitoring

Log Indicators:

Multiple malformed Range header requests
Polipo crash/restart events
Unusual memory usage patterns

Network Indicators:

HTTP requests with specially crafted Range headers
Traffic to Polipo default port 8123

SIEM Query:

source="polipo.log" AND ("Range:" OR "buffer overflow" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2021-38614

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: August 12, 2021

Last Updated: November 21, 2024

🔗 References

https://www.openwall.com/lists/oss-security/2021/07/28/2 Exploit,Mailing List,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/07/28/2 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38614, you might also want to check these: