CVE-2023-48230: 
NixOS vulnerability analysis and mitigation

Cap'n Proto, a data interchange format and capability-based RPC system, disclosed a vulnerability (CVE-2023-48230) affecting versions 1.0 and 1.0.1. The vulnerability exists in the KJ HTTP library when WebSocket compression is enabled, where a buffer underrun can be triggered by a remote peer. The issue was discovered by the Cloudflare Workers team and was publicly disclosed on November 21, 2023. The vulnerability primarily affects systems using the KJ HTTP library with WebSocket compression enabled, with Cloudflare Workers Runtime being the main suspected affected system (GitHub Advisory).

The vulnerability stems from an inconsistent handling of compressed WebSocket messages. When processing the header, the code decides whether the message is compressed based on the presence of the appropriate flag in the header. However, after receiving the whole message, it incorrectly treated messages as compressed based only on whether the session had negotiated compression upfront. The bug causes a buffer underrun that writes a constant 4-byte string { 0x00, 0x00, 0xFF, 0xFF } into memory. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST and 5.9 (MEDIUM) by GitHub (NVD).

The vulnerability can lead to a remote denial-of-service attack through application crashes. While the buffer underrun writes a constant, non-attacker-controlled value, which typically results in a crash, the possibility of remote code execution cannot be completely ruled out, though it is considered unlikely. The impact is limited to systems that specifically enable WebSocket compression, as this feature is disabled by default (GitHub Advisory).

The vulnerability has been fixed in Cap'n Proto version 1.0.1.1. The fix involves correcting the logic for handling compressed WebSocket messages to properly rely on the bits in the header and throw an error if the header indicates compression but compression wasn't negotiated. Users should upgrade to the patched version. The fix is available through Unix (https://capnproto.org/capnproto-c++-1.0.1.1.tar.gz) and Windows (https://capnproto.org/capnproto-c++-win32-1.0.1.1.zip) distributions (GitHub Advisory).