1220053 – VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks

Bug 1220053 - VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs8: libuv: improper domain lookup that potentially leads to SSRF attacks

Summary: VUL-0: CVE-2024-24806: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,...

Status:	IN_PROGRESS

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/393398/
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2024-24806
	Show dependency tree / graph

Clone This Bug

Reported:	2024-02-19 08:39 UTC by Andrea Mattiazzo
Modified:	2024-07-12 15:20 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrea Mattiazzo 2024-02-19 08:39:07 UTC

libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24806
https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
https://www.cve.org/CVERecord?id=CVE-2024-24806
https://bugzilla.redhat.com/show_bug.cgi?id=2263292

Patch:
https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629

Comment 1 Andrea Mattiazzo 2024-02-19 08:40:06 UTC

Vulnerable libuv package version embedded in:
openSUSE:Factory/nodejs20 - libuv (v1.46.0)
SUSE:ALP:Source:Standard:1.0/nodejs20 - libuv (v1.46.0)
SUSE:SLE-12-SP4:Update/nodejs14 - libuv (v1.42.0)
SUSE:SLE-12-SP5:Update/nodejs16 - libuv (v1.43.0)
SUSE:SLE-12-SP5:Update/nodejs18 - libuv (v1.44.2)
SUSE:SLE-12:Update/nodejs10 - libuv (v1.34.2)
SUSE:SLE-12:Update/nodejs12 - libuv (v1.40.0)
SUSE:SLE-15-SP2:Update/nodejs12 - libuv (v1.40.0)
SUSE:SLE-15-SP2:Update/nodejs14 - libuv (v1.42.0)
SUSE:SLE-15-SP3:Update/nodejs16 - libuv (v1.43.0)
SUSE:SLE-15-SP4:Update/nodejs16 - libuv (v1.43.0)
SUSE:SLE-15-SP4:Update/nodejs18 - libuv (v1.44.2)
SUSE:SLE-15-SP5:Update/nodejs18 - libuv (v1.44.2)
SUSE:SLE-15-SP5:Update/nodejs20 - libuv (v1.46.0)
SUSE:SLE-15:Update/nodejs10 - libuv (v1.34.2)

Comment 7 Maintenance Automation 2024-02-29 16:30:11 UTC

SUSE-SU-2024:0733-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219993, 1219997, 1220014, 1220053
CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24806
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs12-12.22.12-150200.4.56.1
SUSE Enterprise Storage 7.1 (src): nodejs12-12.22.12-150200.4.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2024-02-29 16:30:14 UTC

SUSE-SU-2024:0732-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219993, 1219997, 1220014, 1220053
CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24806
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs14-14.21.3-150200.15.55.1
SUSE Enterprise Storage 7.1 (src): nodejs14-14.21.3-150200.15.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2024-02-29 16:30:18 UTC

SUSE-SU-2024:0731-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219993, 1219997, 1220014, 1220017, 1220053
CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806
Sources used:
Web and Scripting Module 12 (src): nodejs16-16.20.2-8.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-03-01 09:00:27 UTC

SUSE-SU-2024:0729-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219993, 1219997, 1220014, 1220017, 1220053
CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806
Sources used:
openSUSE Leap 15.3 (src): nodejs16-16.20.2-150300.7.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.20.2-150300.7.33.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.20.2-150300.7.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.20.2-150300.7.33.1
SUSE Enterprise Storage 7.1 (src): nodejs16-16.20.2-150300.7.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2024-03-01 09:00:30 UTC

SUSE-SU-2024:0728-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219993, 1219997, 1220014, 1220017, 1220053
CVE References: CVE-2023-46809, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806
Sources used:
openSUSE Leap 15.4 (src): nodejs16-16.20.2-150400.3.30.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs16-16.20.2-150400.3.30.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs16-16.20.2-150400.3.30.1
SUSE Manager Server 4.3 (src): nodejs16-16.20.2-150400.3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 OBSbugzilla Bot 2024-04-10 11:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1220053) was mentioned in
https://build.opensuse.org/request/show/1166624 Factory / nodejs20

Comment 14 Maintenance Automation 2024-04-16 08:30:04 UTC

SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/)
Sources used:
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.12.1-150500.11.9.2
openSUSE Leap 15.5 (src):
 nodejs20-20.12.1-150500.11.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2024-04-16 12:30:08 UTC

SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.1-150400.9.21.3
openSUSE Leap 15.5 (src):
 nodejs18-18.20.1-150400.9.21.3
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Manager Server 4.3 (src):
 nodejs18-18.20.1-150400.9.21.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2024-04-16 12:30:13 UTC

SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.1-8.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.