CVE-2024-24806
📋 TL;DR
A buffer truncation vulnerability in libuv's uv_getaddrinfo function allows attackers to craft malicious hostnames that resolve to unintended IP addresses. This can bypass developer checks and potentially enable SSRF attacks against internal services. Applications using vulnerable libuv versions for DNS resolution are affected.
💻 Affected Systems
- libuv
📦 What is this software?
Libuv by Libuv
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls to access internal APIs, perform SSRF attacks against internal infrastructure, or redirect traffic to malicious endpoints.
Likely Case
SSRF attacks against internal services that process user-controlled hostnames, particularly in multi-tenant environments where users can create subdomains.
If Mitigated
Limited impact if proper network segmentation, egress filtering, and input validation are already implemented.
🎯 Exploit Status
Exploitation requires the ability to control hostnames passed to uv_getaddrinfo and specific application logic that processes the results.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.48.0
Vendor Advisory: https://github.com/libuv/libuv/security/advisories
Restart Required: Yes
Instructions:
1. Identify libuv version in use
2. Upgrade to libuv version 1.48.0 or later
3. Rebuild applications linked against libuv
4. Restart affected services
🔧 Temporary Workarounds
Input validation
allValidate and limit hostname length before passing to uv_getaddrinfo
🧯 If You Can't Patch
- Implement strict input validation to reject hostnames longer than 255 characters
- Deploy network controls to restrict outbound connections from vulnerable services
🔍 How to Verify
Check if Vulnerable:
Check libuv version: ldd --version or check package manager outputCheck Version:
ldd --version | grep libuv || uv --version || check system package managerVerify Fix Applied:
Verify libuv version is 1.48.0 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual DNS resolution patterns
- Attempts to resolve hostnames with exactly 256 characters
- Failed DNS lookups with truncated hostnames
Network Indicators:
- Outbound connections to unexpected IP ranges from services using libuv
- DNS queries with unusually long hostnames
SIEM Query:
source="dns.log" AND query_length>=256🔗 References
- http://www.openwall.com/lists/oss-security/2024/02/08/2
- http://www.openwall.com/lists/oss-security/2024/02/11/1
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
- https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
- https://github.com/libuv/libuv/commit/c858a147643de38a09dd4164758ae5b685f2b488
- https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
- https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
- https://gitlab.kitware.com/cmake/cmake/-/issues/26112
- https://lists.debian.org/debian-lts-announce/2024/03/msg00005.html
- https://security.netapp.com/advisory/ntap-20240605-0008/
- http://www.openwall.com/lists/oss-security/2024/02/08/2
- http://www.openwall.com/lists/oss-security/2024/02/11/1
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
- https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
- https://github.com/libuv/libuv/commit/c858a147643de38a09dd4164758ae5b685f2b488
- https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
- https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
- https://gitlab.kitware.com/cmake/cmake/-/issues/26112
- https://lists.debian.org/debian-lts-announce/2024/03/msg00005.html
- https://security.netapp.com/advisory/ntap-20240605-0008/
