CVE-2023-25076
Published: 30 March 2023
Summary
CVE-2023-25076 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Sniproxy Project Sniproxy. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A buffer overflow vulnerability exists in SNIProxy versions 0.6.0-2 and the master branch prior to commit 822bb80df9b7b345cc9eba55df74a07b498819ba. The flaw occurs during handling of wildcard backend hosts and is triggered by specially crafted HTTP or TLS packets, enabling arbitrary code execution. It is tracked under CWE-120 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can send a malicious packet to an affected SNIProxy instance and achieve arbitrary code execution with no user interaction required. The attack requires low complexity and grants full confidentiality, integrity, and availability impact on the target system.
Debian security advisories DSA-5413 and the corresponding LTS announcement recommend upgrading to patched versions of the package. Fixed code is available in the referenced GitHub commits that address the buffer handling logic for wildcard backends.
The EPSS score rose from a low baseline to a peak of 0.3552 after public disclosure, indicating measurable post-release exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29055
Vulnerability details
A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious…
more
packet to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.