GHSA-c33x-xqrf-c478

Suggest an improvement
Source
https://github.com/advisories/GHSA-c33x-xqrf-c478
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-c33x-xqrf-c478/GHSA-c33x-xqrf-c478.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c33x-xqrf-c478
Aliases
Related
Published
2024-04-02T14:16:05Z
Modified
2024-04-05T18:53:25Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack
Details

An attacker can cause its peer to run out of memory by sending a large number of NEWCONNECTIONID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRECONNECTIONID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRECONNECTIONID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

Database specific
{
    "nvd_published_at": "2024-04-04T15:15:37Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-02T14:16:05Z"
}
References

Affected packages

Go / github.com/quic-go/quic-go

Package

Name
github.com/quic-go/quic-go
View open source insights on deps.dev
Purl
pkg:golang/github.com/quic-go/quic-go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.42.0