#VU72086 Buffer overflow in ModSecurity - CVE-2023-24021


Vulnerability identifier: #VU72086

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-24021

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ModSecurity
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Trustwave

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when executing rules that read the FILES_TMP_CONTENT collection. A remote attacker can upload a specially crafted file on the system, trigger memory corruption and execute arbitrary code on the target system or bypass implemented WAF protection rules.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ModSecurity: 2.9.0 - 2.9.6

External links
https://github.com/SpiderLabs/ModSecurity/pull/2857/commits/4324f0ac59f8225aa44bc5034df60dbeccd1d334
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7
https://github.com/SpiderLabs/ModSecurity/pull/2857
https://lists.debian.org/debian-lts-announce/2023/01/msg00023.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle HTTP Server
Ubuntu update for modsecurity-apache
Fedora 38 update for mod_security
Fedora 36 update for mod_security
Fedora 37 update for mod_security
Multiple vulnerabilities in Red Hat JBoss Core Services
Multiple vulnerabilities in Oracle Solaris third-party software
SUSE update for apache2-mod_security2
SUSE update for apache2-mod_security2
Buffer overflow in ModSecurity