cve-2023-41337
Vulnerability from cvelistv5
Published
2023-12-12 19:42
Modified
2024-08-02 19:01
Severity ?
6.1 (Medium) - CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
References
security-advisories@github.comhttps://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0abPatch
security-advisories@github.comhttps://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6qMitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0abPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6qMitigation, Patch, Vendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:01:34.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q"
          },
          {
            "name": "https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "h2o",
          "vendor": "h2o",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.3.0-beta2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent.\n\nThe attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening.\n\nOnce a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker\u0027s server.\n\nAn H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities.\n\nA patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-12T19:42:35.210Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q"
        },
        {
          "name": "https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab"
        }
      ],
      "source": {
        "advisory": "GHSA-5v5r-rghf-rm6q",
        "discovery": "UNKNOWN"
      },
      "title": "h2o vulnerable to TLS session resumption misdirection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-41337",
    "datePublished": "2023-12-12T19:42:35.210Z",
    "dateReserved": "2023-08-28T16:56:43.367Z",
    "dateUpdated": "2024-08-02T19:01:34.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.2.6\", \"matchCriteriaId\": \"3C540EDB-1F68-47E9-A457-B6BC1EB805D7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dena:h2o:2.3.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"128D1D5E-4E71-4ABB-B580-F17E2B74B5F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dena:h2o:2.3.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"E69DE676-300A-4A95-A04D-7463CA372799\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent.\\n\\nThe attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening.\\n\\nOnce a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker\u0027s server.\\n\\nAn H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities.\\n\\nA patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.\"}, {\"lang\": \"es\", \"value\": \"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. En la versi\\u00f3n 2.3.0-beta2 y anteriores, cuando h2o est\\u00e1 configurado para escuchar m\\u00faltiples direcciones o puertos y cada uno de ellos usa diferentes servidores backend administrados por m\\u00faltiples entidades, una entidad backend maliciosa que tambi\\u00e9n tiene la oportunidad de observar o inyectar paquetes intercambiados entre el cliente y h2o pueden desviar las solicitudes HTTPS que van a otros backends y observar el contenido de esa solicitud HTTPS que se env\\u00eda. El ataque implica que un cliente v\\u00edctima intenta reanudar una conexi\\u00f3n TLS y un atacante redirige los paquetes a una direcci\\u00f3n o puerto diferente al previsto por el cliente. El atacante ya debe haber sido configurado por el administrador de h2o para actuar como backend de una de las direcciones o puertos que escucha la instancia de h2o. Los ID de sesi\\u00f3n y los tickets generados por h2o no est\\u00e1n vinculados a informaci\\u00f3n espec\\u00edfica de la direcci\\u00f3n del servidor, el puerto o el certificado X.509 y, por lo tanto, es posible que un atacante fuerce la conexi\\u00f3n de la v\\u00edctima a reanudarse incorrectamente en una direcci\\u00f3n de servidor o puerto diferente. en el que est\\u00e1 escuchando la misma instancia de h2o. Una vez que una sesi\\u00f3n TLS se dirige err\\u00f3neamente para reanudarse a una direcci\\u00f3n/puerto de servidor que est\\u00e1 configurado para usar un servidor controlado por el atacante como backend, dependiendo de la configuraci\\u00f3n, las solicitudes HTTPS del cliente v\\u00edctima pueden reenviarse al servidor del atacante. Una instancia H2O es vulnerable a este ataque solo si la instancia est\\u00e1 configurada para escuchar diferentes direcciones o puertos usando la directiva de escucha en el nivel de host y la instancia est\\u00e1 configurada para conectarse a servidores backend administrados por m\\u00faltiples entidades. Hay un parche disponible en el commit 35760540337a47e5150da0f4a66a609fad2ef0ab. Como workaround, se pueden dejar de utilizar directivas de escucha a nivel de host en favor de las de nivel global.\"}]",
      "id": "CVE-2023-41337",
      "lastModified": "2024-11-21T08:21:06.330",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 5.2}]}",
      "published": "2023-12-12T20:15:07.477",
      "references": "[{\"url\": \"https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-347\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41337\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-12T20:15:07.477\",\"lastModified\":\"2024-11-21T08:21:06.330\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent.\\n\\nThe attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening.\\n\\nOnce a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker\u0027s server.\\n\\nAn H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities.\\n\\nA patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.\"},{\"lang\":\"es\",\"value\":\"h2o es un servidor HTTP compatible con HTTP/1.x, HTTP/2 y HTTP/3. En la versi\u00f3n 2.3.0-beta2 y anteriores, cuando h2o est\u00e1 configurado para escuchar m\u00faltiples direcciones o puertos y cada uno de ellos usa diferentes servidores backend administrados por m\u00faltiples entidades, una entidad backend maliciosa que tambi\u00e9n tiene la oportunidad de observar o inyectar paquetes intercambiados entre el cliente y h2o pueden desviar las solicitudes HTTPS que van a otros backends y observar el contenido de esa solicitud HTTPS que se env\u00eda. El ataque implica que un cliente v\u00edctima intenta reanudar una conexi\u00f3n TLS y un atacante redirige los paquetes a una direcci\u00f3n o puerto diferente al previsto por el cliente. El atacante ya debe haber sido configurado por el administrador de h2o para actuar como backend de una de las direcciones o puertos que escucha la instancia de h2o. Los ID de sesi\u00f3n y los tickets generados por h2o no est\u00e1n vinculados a informaci\u00f3n espec\u00edfica de la direcci\u00f3n del servidor, el puerto o el certificado X.509 y, por lo tanto, es posible que un atacante fuerce la conexi\u00f3n de la v\u00edctima a reanudarse incorrectamente en una direcci\u00f3n de servidor o puerto diferente. en el que est\u00e1 escuchando la misma instancia de h2o. Una vez que una sesi\u00f3n TLS se dirige err\u00f3neamente para reanudarse a una direcci\u00f3n/puerto de servidor que est\u00e1 configurado para usar un servidor controlado por el atacante como backend, dependiendo de la configuraci\u00f3n, las solicitudes HTTPS del cliente v\u00edctima pueden reenviarse al servidor del atacante. Una instancia H2O es vulnerable a este ataque solo si la instancia est\u00e1 configurada para escuchar diferentes direcciones o puertos usando la directiva de escucha en el nivel de host y la instancia est\u00e1 configurada para conectarse a servidores backend administrados por m\u00faltiples entidades. Hay un parche disponible en el commit 35760540337a47e5150da0f4a66a609fad2ef0ab. Como workaround, se pueden dejar de utilizar directivas de escucha a nivel de host en favor de las de nivel global.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.5,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.6\",\"matchCriteriaId\":\"3C540EDB-1F68-47E9-A457-B6BC1EB805D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dena:h2o:2.3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"128D1D5E-4E71-4ABB-B580-F17E2B74B5F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dena:h2o:2.3.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E69DE676-300A-4A95-A04D-7463CA372799\"}]}]}],\"references\":[{\"url\":\"https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.