CVE-2023-50784: 
UnrealIRCd vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in UnrealIRCd versions 6.1.0 through 6.1.3 before 6.1.4 (CVE-2023-50784). The vulnerability affects the websockets functionality and allows an unauthenticated remote attacker to crash the server by sending an oversized packet when a websocket port is open. The issue was discovered on December 13, 2023, and was patched with the release of UnrealIRCd 6.1.4 on December 16, 2023 (UnrealIRCd Forum).

The vulnerability stems from a buffer overflow in the websocket handling code where two functions handle packet parsing differently: the first function performs a length check against a primary buffer, while the second function performs a memcpy operation without additional length verification on a secondary buffer. The issue arose when a change in version 6.1.0 increased the size of the first buffer without corresponding adjustments to the second buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (UnrealIRCd Forum).

On most modern Linux distributions with fortified functions enabled (a security feature implemented since 2016), the buffer overflow triggers a server crash. On FreeBSD and Windows systems, the overflow affects harmless buffers with no noticeable impact. While remote code execution might theoretically be possible on some uncommon, older platforms, this was not demonstrated in testing (UnrealIRCd Forum).

UnrealIRCd released version 6.1.4 to address this vulnerability. For *NIX users, a hot-patch was also made available that can be applied without server restart using the command './unrealircd hot-patch websocket61xcrash'. As a workaround, administrators can disable any listen blocks for websockets if they cannot immediately patch or upgrade their servers (UnrealIRCd Forum, Fedora Update).

The vulnerability was quickly addressed by Linux distributions, with Fedora releasing security updates for both Fedora 38 and 39 to patch the vulnerability (Fedora 38 Update, Fedora 39 Update).