CVE-2023-49295: quic-go's path validation mechanism can cause denial of service
First published: Wed Jan 10 2024(Updated: )
An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/ There's no way to mitigate this attack, please update quic-go to a version that contains the fix.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/quic-go/quic-go | <0.37.7 | 0.37.7 |
| go/github.com/quic-go/quic-go | >=0.38.0<0.38.2 | 0.38.2 |
| go/github.com/quic-go/quic-go | >=0.39.0<0.39.4 | 0.39.4 |
| go/github.com/quic-go/quic-go | =0.40.0 | 0.40.1 |
| redhat/quic-go | <0.40.1 | 0.40.1 |
| redhat/quic-go | <0.39.4 | 0.39.4 |
| redhat/quic-go | <0.38.2 | 0.38.2 |
| redhat/quic-go | <0.37.7 | 0.37.7 |
| quic-go | <0.37.7 | |
| quic-go | >=0.38.0<0.38.2 | |
| quic-go | >=0.39.0<0.39.4 | |
| quic-go | =0.40.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc
- https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965
- https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a
- https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49
- https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e
- https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc
- https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4
- https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8
- https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257827
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257829
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257830
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257826
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257831
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257832
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257828
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257833
- https://access.redhat.com/errata/RHSA-2024:0855
- https://bugzilla.redhat.com/show_bug.cgi?id=2257815
- https://nvd.nist.gov/vuln/detail/CVE-2023-49295
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG
- https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation
- https://github.com/advisories/GHSA-ppxx-5m9h-6vxf (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/
Frequently Asked Questions
What is the severity of CVE-2023-49295?
CVE-2023-49295 has a high severity due to its potential to exhaust system memory through excessive PATH_CHALLENGE frames.
How do I fix CVE-2023-49295?
To mitigate CVE-2023-49295, update the affected quic-go versions to 0.37.7, 0.38.2, 0.39.4, or 0.40.1.
Which versions of quic-go are affected by CVE-2023-49295?
The affected versions of quic-go in relation to CVE-2023-49295 include all versions before 0.37.7 and versions between 0.38.0 and 0.40.0.
Who is affected by CVE-2023-49295?
Any user or organization utilizing quic-go versions from 0.37.7 to before 0.40.1 may be vulnerable to CVE-2023-49295.
What type of vulnerability is CVE-2023-49295?
CVE-2023-49295 is a denial-of-service vulnerability that can lead to memory exhaustion in the affected application.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/softwarecombine
- agent/title
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ppxx-5m9h-6vxf
- alias/CVE-2023-49295
- agent/software-canonical-lookup
- collector/github-advisory
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/go
- package-manager/redhat
- vendor/quic-go project
- canonical/quic-go
- version/quic-go/0.38.0
- version/quic-go/0.39.0
- version/quic-go/0.40.0