Focused vulnerability: SNIProxy has a remote code execution flaw
This vulnerability was identified by Keane O’Kelley of Cisco ASIG. The open-source software SNIProxy has a remote code execution flaw that can be exploited if the user uses wildcard backend hosts, according to Cisco ASIG.
Based on the hostname present in the TCP session’s initial request, SNIProxy proxies incoming HTTP and TLS connections. With the aid of this open-source tool, users can perform name-based HTTPS proxying without having to decrypt traffic or obtain a key or certificate.
When setting up SNIProxy, a user may encounter a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) if they use wildcard backend hosts. By sending a specially crafted HTTP, TLS, or DTLS packet to the target computer, an attacker could take advantage of this vulnerability and possibly cause a denial of service or gain access to the ability to execute remote code.
In accordance with Cisco’s vulnerability disclosure policy, Cisco Talos collaborated with the administrators of SNIProxy to ensure that these problems were fixed and that an update was accessible to users who were affected.
Users of SNIProxy version 0.6.0-2 and SNIProxy (822bb80df9b7b345cc9eba55df74a07b498819ba) Master version are advised to update these affected products as soon as possible. These open-source tool versions can be taken advantage of by this vulnerability, according to Talos testing.
Exploitation attempts against this vulnerability will be found via the 61474 Snort rule. In the absence of new vulnerability information, further regulations could be provided in the future, and the ones that are already in place could change. Please refer Snort.org or your Cisco Secure Firewall Management Center for the most recent rule information.
Author: Varsha Kumari