PatchSiren cyber security CVE debrief
CVE-2024-24806 libuv CVE debrief
CVE-2024-24806 is a high-severity vulnerability in libuv, a multi-platform asynchronous I/O support library. The flaw exists in the `uv_getaddrinfo` function, which truncates hostnames to 256 characters before calling `getaddrinfo`. When hostnames exceed this length, truncation occurs without a terminating null byte, potentially allowing crafted payloads to resolve to unintended IP addresses such as `0x00007f000001`. This behavior can enable Server-Side Request Forgery (SSRF) attacks in scenarios where applications use user-controlled subdomains (e.g., `username.example.com`) and internal services crawl or cache these pages. The vulnerability affects Siemens SINEC INS, which incorporates the vulnerable libuv component. CISA published advisory ICSA-24-319-08 on November 12, 2024, coordinating disclosure with Siemens. Siemens has released a vendor fix in SINEC INS V1.0 SP2 Update 3. No workarounds are available.
- Vendor
- libuv
- Product
- SINEC INS
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations running Siemens SINEC INS industrial network management software; developers using libuv for asynchronous DNS resolution in applications processing untrusted hostnames; security teams defending against SSRF in multi-tenant or user-content platforms with subdomain architectures; OT/ICS security practitioners following CISA advisories for critical infrastructure protection.
Technical summary
The vulnerability resides in libuv's cross-platform `uv_getaddrinfo` implementation (`src/unix/getaddrinfo.c` and `src/win/getaddrinfo.c`). The function uses a fixed 256-byte `hostname_ascii` buffer for IDNA conversion via `uv__idna_toascii`. Hostnames exceeding 256 characters are truncated without null termination, allowing crafted strings to form valid IP address representations (e.g., hexadecimal `0x00007f000001`) that `getaddrinfo` resolves unexpectedly. This enables SSRF in applications with user-controlled subdomain patterns where internal services fetch or cache content. Fixed in libuv 1.48.0; Siemens SINEC INS patched in V1.0 SP2 Update 3.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Siemens SINEC INS to V1.0 SP2 Update 3 or later version per vendor remediation guidance
- Review applications using libuv for hostname handling from untrusted sources, particularly user-controlled subdomain patterns
- Validate and enforce hostname length limits before passing to resolution functions in custom applications
- Monitor for anomalous DNS resolution requests involving unusually long hostnames or unexpected internal IP targets
- Apply network segmentation and egress filtering to limit impact of potential SSRF exploitation
- Review CISA ICS recommended practices for industrial control system defense in depth
Evidence notes
Vulnerability stems from improper null termination in hostname truncation within libuv's `uv_getaddrinfo` and `uv__idna_toascii` functions. The 256-byte `hostname_ascii` buffer overflow leads to address resolution manipulation. Attack vector requires attacker-controlled long hostnames that, when truncated, form valid IP address strings interpretable by `getaddrinfo`.
Official resources
-
CVE-2024-24806 CVE record
CVE.org
-
CVE-2024-24806 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure via CISA ICS advisory ICSA-24-319-08 published November 12, 2024, with vendor fix available from Siemens.