CVE-2023-1108: The Endless Loop of Despair - Understanding and Exploiting the DoS Flaw in Undertow's SslConduit

Hello, fellow security enthusiasts! Today, we have a deceptively simple, yet incredibly damaging cybersecurity vulnerability to discuss. In this long read post, we're going to explore a flaw found in Undertow, a flexible, high-performance web server written in Java. This vulnerability allows an attacker to force a denial of service (DoS) attack against the targeted server. Designated as CVE-2023-1108, this flaw lies in Undertow's SslConduit, where an unexpected handshake status update causes a never-ending loop.

Before diving into the heart of the issue, let's first understand a bit about Undertow and SslConduit.

Undertow Web Server

Undertow is a web server used in many Java-based applications, known for its flexibility and high-performance capabilities. It is designed for maximum throughput and minimal resource usage and offers an intuitive and easy-to-use Java API for creating HTTP handlers and controls. To learn more about Undertow, please visit the official Undertow website.

Under the Hood - SslConduit

SslConduit is a part of Undertow's SSL/TLS implementation. In simple terms, SslConduit is responsible for managing the SSL/TLS connection, particularly the SSL/TLS handshake process, which establishes a secure communication channel between the client and the server.

The Vulnerability (CVE-2023-1108) Explained

Now that we have some background knowledge, let's dive into the vulnerability itself. CVE-2023-1108 is a flaw in Undertow's SslConduit that allows an attacker to achieve a denial of service by creating a never-ending loop. This arises when an unexpected handshake status is updated during the SSL/TLS connection establishment process. The loop causes the targeted server's CPU to spike, effectively rendering it non-operational.

Here's a code snippet that demonstrates the problematic behavior in SslConduit

//Inside the SslConduit class
public void handshake() throws IOException {
    //...
    HandshakeStatus handshakeStatus = engine.getHandshakeStatus();
    while (true) {
        switch (handshakeStatus) {
            //...
            case NOT_HANDSHAKING:
                //...
                break;
            default:
                return;
        }
        handshakeStatus = engine.getHandshakeStatus();
    }
}

As you can see from the code above, the switch-case statement handles various handshake statuses. However, if the unexpected status is encountered, the loop keeps on running without termination.

Exploiting the Vulnerability

Now that we know how this vulnerability works, let's discuss how it can be exploited. An attacker would need to construct a malicious request to trigger the handshake status required for the loop to continue indefinitely. This request would prompt Undertow's SSL/TLS implementation to continuously attempt to establish a connection without ever succeeding, ultimately bringing the server to its knees.

Fortunately, the vulnerability was addressed and patched by the Undertow maintainers. However, unpatched systems still remain at risk.

Mitigation Steps

The most straightforward step to protect against this vulnerability is to update Undertow to a version that includes the patch for the CVE-2023-1108 flaw. Existing users of Undertow are strongly advised to upgrade immediately. Server administrators should monitor their systems for any signs of abnormal behavior, such as unusual CPU spikes, to identify potential attacks.

Conclusion

In conclusion, CVE-2023-1108 is a critical vulnerability affecting Undertow's SslConduit, making it possible to achieve denial-of-service attacks by causing a never-ending loop during the SSL/TLS handshake process. It highlights the importance of keeping software up to date and monitoring your systems for potential issues.

We hope that you found this long read insightful and informative. Be sure to stay safe and maintain a strong security posture.

Key References

1. Undertow Homepage
2. CVE-2023-1108 Details
3. Undertow GitHub Repository

Timeline

Published on: 09/14/2023 15:15:00 UTC
Last modified on: 09/20/2023 20:16:00 UTC