Headline
GHSA-vr26-jcq5-fjj8: Denial of service in quinn-proto when using `Endpoint::retry()`
Summary
As of quinn-proto 0.11, it is possible for a server to accept()
, retry()
, refuse()
, or ignore()
an Incoming
connection. However, calling retry()
on an unvalidated connection exposes the server to a likely panic in the following situations:
- Calling
refuse
orignore
on the resulting validated connection, if a duplicate initial packet is received- This issue can go undetected until a server’s
refuse()
/ignore()
code path is exercised, such as to stop a denial of service attack.
- This issue can go undetected until a server’s
- Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn’t exhaust connection IDs is received.
- This issue can go undetected if clients are well-behaved.
The former situation was observed in a real application, while the latter is only theoretical.
Details
Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213
Impact
Denial of service for internet-facing server
Package
cargo quinn-proto (Rust)
Affected versions
>= 0.11.0, < 0.11.7
Patched versions
0.11.7
Description
Summary
As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations:
- Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received
- This issue can go undetected until a server’s refuse()/ignore() code path is exercised, such as to stop a denial of service attack.
- Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn’t exhaust connection IDs is received.
- This issue can go undetected if clients are well-behaved.
The former situation was observed in a real application, while the latter is only theoretical.
Details
Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213
Impact
Denial of service for internet-facing server
References
- GHSA-vr26-jcq5-fjj8
- https://nvd.nist.gov/vuln/detail/CVE-2024-45311
- quinn-rs/quinn@e01609c
- https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213
djc published to quinn-rs/quinn
Sep 2, 2024
Published by the National Vulnerability Database
Sep 2, 2024
Published to the GitHub Advisory Database
Sep 3, 2024
Reviewed
Sep 3, 2024
Last updated
Sep 3, 2024