2273513 – (CVE-2024-22189) CVE-2024-22189 quic-go: memory exhaustion attack against QUIC's connection ID mechanism

Bug 2273513 (CVE-2024-22189) - CVE-2024-22189 quic-go: memory exhaustion attack against QUIC's connection ID mechanism

Summary: CVE-2024-22189 quic-go: memory exhaustion attack against QUIC's connection ID...

Keywords:
Status:	NEW
Alias:	CVE-2024-22189
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2273514 2273515 2273516 2273517 2275233 2275234 2275235 2275236 2275237
Blocks:	2273512
TreeView+	depends on / blocked

Reported:	2024-04-04 19:36 UTC by Robb Gatica
Modified:	2024-04-18 19:31 UTC (History)
CC List:	39 users (show)
Fixed In Version:	quic-go 0.42.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in quic-go. This issue may allow an attacker to trigger a denial of service by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame, but the attacker can prevent the receiver from sending out the vast majority of these RETIRE_CONNECTION_ID frames by selectively acknowledging received packets and collapsing the peers congestion window and by manipulating the peer's RTT estimate.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-04-04 19:36:02 UTC

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478
https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s

Comment 1 Robb Gatica 2024-04-04 19:43:03 UTC

Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2273515]
Affects: epel-all [bug 2273514]
Affects: fedora-38 [bug 2273516]
Affects: fedora-39 [bug 2273517]

Comment 3 Anten Skrabec 2024-04-16 07:37:45 UTC

Created dnscrypt-proxy tracking bugs for this issue:

Affects: fedora-39 [bug 2275236]


Created golang-github-quic tracking bugs for this issue:

Affects: fedora-39 [bug 2275237]


Created receptor tracking bugs for this issue:

Affects: fedora-all [bug 2275234]


Created syncthing tracking bugs for this issue:

Affects: epel-8 [bug 2275233]
Affects: fedora-38 [bug 2275235]

Note You need to log in before you can comment on or make changes to this bug.

aarif
aprice
bdettelb
caswilli
davidn
dfreiber
dkuc
drow
epacific
fjansen
gkamathe
gparvin
hkataria
jburrell
jbuscemi
jcammara
jhardy
jmitchel
jneedle
jobarker
jtanner
kaycoth
kshier
lbainbri
mabashia
mpierce
njean
osapryki
owatkins
pahickey
rhaigner
sdawley
sidakwo
simaishi
smcdonal
teagle
vkumar
yguenane
zsadeh