Miggo Logo
Miggo Vulnerability Database
CVE-2023-43644

CVE-2023-43644: sing-box vulnerable to improper authentication in the SOCKS inbound

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-43644
GHSA ID
GHSA-r5hm-mp3j-285g
EPSS Score
0.39262%
CWE
CWE-306
Published
9/26/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/sagernet/sing-boxgo< 1.4.51.4.5
github.com/sagernet/sing-boxgo>= 1.5.0-beta.1, < 1.5.0-rc.51.5.0-rc.5
github.com/sagernet/singgo< 0.2.12-0.20230925092853-5b05b5c147d90.2.12-0.20230925092853-5b05b5c147d9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authentication validation in the SOCKS handshake handler. The patched commit 5b05b5c147d9 in the 'sing' library adds a critical check for the authentication status code (socks5.UsernamePasswordStatusSuccess) that was previously missing. The HandleConnection0 function in protocol/socks/handshake.go processed requests even when authentication failed, as shown by the added error return when response.Status != success. This matches the CWE-306 description of missing authentication for critical functionality and explains how crafted requests could bypass authentication.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows sp**i*lly *r**t** r*qu*sts to *yp*ss *ut**nti**tion, *****tin* *ll SO*KS in*oun*s wit* us*r *ut**nti**tion. ### P*t***s Up**t* to sin*-*ox *.*.* or *.*.*-r*.* *n* l*t*r v*rsions. ### Work*roun*s *on't *xpos*

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut**nti**tion v*li**tion in t** SO*KS **n*s**k* **n*l*r. T** p*t**** *ommit ************ in t** 'sin*' li*r*ry ***s * *riti**l ****k *or t** *ut**nti**tion st*tus *o** (so*ks*.Us*rn*m*P*sswor*St*tusSu***ss) t**t