CVE-2023-32762 - Security Vulnerability in Qt Network: HSTS Header Parsing Issue Allows Unencrypted Connections

A critical security vulnerability (CVE-2023-32762) has been discovered in Qt Network, a widely-used network programming framework for cross-platform applications. If left unpatched, this vulnerability can allow an attacker to establish unencrypted connections with a server, even when the server explicitly prohibits such connections.

The Issue

The issue lies in how Qt Network parses the strict-transport-security (HSTS) header. If the case used for the header does not exactly match, the framework would incorrectly parse it, leading to connections made in plaintext even if the server disallows it.

Exploit Details

Let's consider a scenario where a server has explicitly set the HSTS header, specifying that it does not allow unencrypted connections. Here's an example of the header value:

Strict-Transport-Security: max-age=31536000

However, if the header is sent with a different case, such as sTrict-TrAnspORt-SecUrITY, Qt Network would fail to recognize it and allow unencrypted connections to be established, thus making the server vulnerable to man-in-the-middle attacks.

The following code snippet demonstrates how this issue can be exploited

#include <QtNetwork/QNetworkAccessManager>
#include <QtNetwork/QNetworkRequest>
#include <QtNetwork/QNetworkReply>
#include <QUrl>

int main(int argc, char *argv[]) {
  QCoreApplication a(argc, argv);

  QNetworkAccessManager manager;
  QNetworkRequest request(QUrl("https://vulnerable.server.com/";));

  // Here's the malformed HSTS header
  request.setRawHeader("sTrict-TrAnspORt-SecUrITY", "max-age=31536000");

  QNetworkReply *reply = manager.get(request);

  QObject::connect(reply, QOverload<QNetworkReply::NetworkError>::of(&QNetworkReply::error),
    [](QNetworkReply::NetworkError code) {
      qDebug() << "Error:" << code;
    });

  QObject::connect(reply, &QNetworkReply::finished,
    [reply]() {
      qDebug() << "Received:" << reply->readAll();
      reply->deleteLater();
      QCoreApplication::quit();
    });

  return a.exec();
}

Solution

To mitigate this vulnerability and protect your applications, it is strongly recommended to upgrade to the following versions of Qt with the security patch:

Original References

You can find more information about the vulnerability and the corresponding security advisory on the official Qt website:

- CVE-2023-32762 Security Advisory
- Qt Blog Post on the Security Update
- NIST National Vulnerability Database Entry

Conclusion

By addressing this vulnerability in Qt Network's HSTS header parsing, you can ensure that your applications stay secure and do not inadvertently allow unencrypted connections with the servers. It is important to keep your software up-to-date and follow security best practices to minimize the risk of being attacked.

Timeline

Published on: 05/28/2023 23:15:00 UTC
Last modified on: 06/03/2023 03:57:00 UTC