Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-33953 (High) detected in grpcv1.19.0 #145

Open
mend-bolt-for-github bot opened this issue Aug 27, 2023 · 0 comments
Open

CVE-2023-33953 (High) detected in grpcv1.19.0 #145

mend-bolt-for-github bot opened this issue Aug 27, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link

CVE-2023-33953 - High Severity Vulnerability

Vulnerable Library - grpcv1.19.0

The C based gRPC (C++, Python, Ruby, Objective-C, PHP, C#)

Library home page: https://github.com/grpc/grpc.git

Found in base branch: master

Vulnerable Source Files (4)

/node_modules/grpc/deps/grpc/src/core/lib/iomgr/tcp_server_utils_posix.h
/node_modules/grpc/deps/grpc/src/core/lib/iomgr/tcp_server_posix.cc
/node_modules/grpc/deps/grpc/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
/node_modules/grpc/deps/grpc/src/core/lib/iomgr/tcp_server_utils_posix_common.cc

Vulnerability Details

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

  • Unbounded memory buffering in the HPACK parser
  • Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

  • The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
  • HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
  • gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

Publish Date: 2023-08-09

URL: CVE-2023-33953

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cloud.google.com/support/bulletins#gcp-2023-022

Release Date: 2023-08-09

Fix Resolution: 1.53.2,1.54.3,1.55.3,1.56.2

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Aug 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants