Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vr26-jcq5-fjj8: Denial of service in quinn-proto when using `Endpoint::retry()`

Summary

As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations:

  • Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received
    • This issue can go undetected until a server’s refuse()/ignore() code path is exercised, such as to stop a denial of service attack.
  • Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn’t exhaust connection IDs is received.
    • This issue can go undetected if clients are well-behaved.

The former situation was observed in a real application, while the latter is only theoretical.

Details

Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213

Impact

Denial of service for internet-facing server

ghsa
#vulnerability#dos#git

Package

cargo quinn-proto (Rust)

Affected versions

>= 0.11.0, < 0.11.7

Patched versions

0.11.7

Description

Summary

As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations:

  • Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received
    • This issue can go undetected until a server’s refuse()/ignore() code path is exercised, such as to stop a denial of service attack.
  • Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn’t exhaust connection IDs is received.
    • This issue can go undetected if clients are well-behaved.

The former situation was observed in a real application, while the latter is only theoretical.

Details

Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213

Impact

Denial of service for internet-facing server

References

  • GHSA-vr26-jcq5-fjj8
  • https://nvd.nist.gov/vuln/detail/CVE-2024-45311
  • quinn-rs/quinn@e01609c
  • https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213

djc published to quinn-rs/quinn

Sep 2, 2024

Published by the National Vulnerability Database

Sep 2, 2024

Published to the GitHub Advisory Database

Sep 3, 2024

Reviewed

Sep 3, 2024

Last updated

Sep 3, 2024

ghsa: Latest News

GHSA-pj33-75x5-32j4: RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission