Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-c33x-xqrf-c478: QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack

An attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer’s RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There’s no way to mitigate this attack, please update quic-go to a version that contains the fix.

ghsa
#git

Package

gomod github.com/quic-go/quic-go (Go)

Affected versions

< 0.42.0

Patched versions

0.42.0

Description

An attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer’s RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/.
I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There’s no way to mitigate this attack, please update quic-go to a version that contains the fix.

References

  • GHSA-c33x-xqrf-c478
  • quic-go/quic-go@4a99b81
  • https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
  • https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s

marten-seemann published to quic-go/quic-go

Apr 2, 2024

Published to the GitHub Advisory Database

Apr 2, 2024

Reviewed

Apr 2, 2024

Last updated

Apr 2, 2024

Related news

Red Hat Security Advisory 2024-8534-03

Red Hat Security Advisory 2024-8534-03 - An update is now available for Red Hat Ansible Automation Platform 2.5. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2024-0041-03

Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-4144-03

Red Hat Security Advisory 2024-4144-03 - VolSync v0.9.2 general availability release images provide the following: enhancements, security fixes, and updated container images.