CVE-2023-43644
📋 TL;DR
CVE-2023-43644 is an authentication bypass vulnerability in sing-box proxy software that allows attackers to bypass SOCKS5 inbound authentication. This affects all sing-box installations with SOCKS5 inbounds configured with user authentication. Attackers can gain unauthorized access to proxy services without valid credentials.
💻 Affected Systems
- sing-box
📦 What is this software?
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
Sing Box by Sagernet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of proxy infrastructure allowing attackers to route malicious traffic, intercept communications, or pivot to internal networks.
Likely Case
Unauthorized use of proxy services for anonymization, bandwidth theft, or initial network foothold.
If Mitigated
Limited impact if SOCKS5 inbound is not exposed externally and proper network segmentation exists.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to SOCKS5 inbound endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.4 or 1.5.0-rc.4
Vendor Advisory: https://github.com/SagerNet/sing-box/security/advisories/GHSA-r5hm-mp3j-285g
Restart Required: Yes
Instructions:
1. Stop sing-box service. 2. Update to version 1.4.4 or 1.5.0-rc.4 using package manager or manual download. 3. Restart sing-box service. 4. Verify version is updated.
🔧 Temporary Workarounds
Disable SOCKS5 inbound authentication
allRemove user authentication from SOCKS5 inbound configuration
Edit sing-box configuration file and remove 'users' section from SOCKS5 inbound
Restrict network access
linuxUse firewall rules to limit access to SOCKS5 inbound port
iptables -A INPUT -p tcp --dport [SOCKS5_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [SOCKS5_PORT] -j DROP
🧯 If You Can't Patch
- Disable SOCKS5 inbound entirely or restrict to trusted networks only
- Implement network-level authentication or VPN before SOCKS5 access
🔍 How to Verify
Check if Vulnerable:
Check sing-box version and verify SOCKS5 inbound with authentication is configuredCheck Version:
sing-box versionVerify Fix Applied:
Confirm version is 1.4.4 or higher, or 1.5.0-rc.4 or higher📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful connections
- Unusual source IPs connecting to SOCKS5 port
Network Indicators:
- SOCKS5 protocol anomalies
- Traffic from unexpected sources through proxy
SIEM Query:
source_port:1080 OR destination_port:1080 AND (event_type:auth_failure OR protocol:socks5)