Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcHh4LTVtOWgtNnZ4Zs4AA4Ux
quic-go's path validation mechanism can be exploited to cause denial of service
An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.
I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/
There's no way to mitigate this attack, please update quic-go to a version that contains the fix.
Permalink: https://github.com/advisories/GHSA-ppxx-5m9h-6vxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcHh4LTVtOWgtNnZ4Zs4AA4Ux
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 2 months ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Identifiers: GHSA-ppxx-5m9h-6vxf, CVE-2023-49295
References:
- https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf
- https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc
- https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965
- https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a
- https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49
- https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e
- https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc
- https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4
- https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8
- https://nvd.nist.gov/vuln/detail/CVE-2023-49295
- https://lists.fedoraproject.org/archives/list/[email protected]/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG
- https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation
- https://github.com/advisories/GHSA-ppxx-5m9h-6vxf
Blast Radius: 19.6
Affected Packages
go:github.com/quic-go/quic-go
Dependent packages: 1,800Dependent repositories: 1,144
Downloads:
Affected Version Ranges: < 0.37.7, >= 0.38.0, < 0.38.2, >= 0.39.0, < 0.39.4, = 0.40.0
Fixed in: 0.37.7, 0.38.2, 0.39.4, 0.40.1
All affected versions: 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.28.0, 0.28.1, 0.29.0, 0.29.1, 0.29.2, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.33.0, 0.33.1, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.36.2, 0.36.3, 0.36.4, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.37.5, 0.37.6, 0.38.0, 0.38.1, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.40.0
All unaffected versions: 0.37.7, 0.38.2, 0.39.4, 0.40.1, 0.41.0