CVE-2024-45311

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling `refuse` or `ignore` on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's `refuse()`/`ignore()` code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213	Issue Tracking
https://github.com/quinn-rs/quinn/commit/e01609ccd8738bd438d86fa7185a0f85598cb58f	Patch
https://github.com/quinn-rs/quinn/security/advisories/GHSA-vr26-jcq5-fjj8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*

History

No history.

Information

Published : 2024-09-02 18:15

Updated : 2024-09-25 17:03

NVD link : CVE-2024-45311

Mitre link : CVE-2024-45311

CVE.ORG link : CVE-2024-45311

JSON object : View

Products Affected

quinn_project

quinn

CWE

CWE-670

Always-Incorrect Control Flow Implementation

{"id": "CVE-2024-45311", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-02T18:15:37.373", "references": [{"url": "https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quinn-rs/quinn/commit/e01609ccd8738bd438d86fa7185a0f85598cb58f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-vr26-jcq5-fjj8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-670"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-670"}]}], "descriptions": [{"lang": "en", "value": "Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling `refuse` or `ignore` on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's `refuse()`/`ignore()` code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical."}, {"lang": "es", "value": "Quinn es una implementaci\u00f3n compatible con async y puramente Rust del protocolo de transporte IETF QUIC. A partir del protocolo quinn 0.11, es posible que un servidor `accept()`, `retry()`, `refuse()` o `ignore()` una conexi\u00f3n `Incoming`. Sin embargo, llamar a `retry()` en una conexi\u00f3n no validada expone al servidor a un posible p\u00e1nico en las siguientes situaciones: 1. Llamar a `refuse` o `ignore` en la conexi\u00f3n validada resultante, si se recibe un paquete inicial duplicado. Este problema puede pasar desapercibido hasta que se ejerza la ruta de c\u00f3digo `refuse()`/`ignore()` de un servidor, como para detener un ataque de denegaci\u00f3n de servicio. 2. Aceptar cuando el paquete inicial para la conexi\u00f3n validada resultante no logra descifrar o agota los ID de conexi\u00f3n, si se recibe un paquete inicial similar que descifra con \u00e9xito y no agota los ID de conexi\u00f3n. Este problema puede pasar desapercibido si los clientes se comportan bien. La primera situaci\u00f3n se observ\u00f3 en una aplicaci\u00f3n real, mientras que la segunda es s\u00f3lo te\u00f3rica."}], "lastModified": "2024-09-25T17:03:36.817", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "4C67B1D7-FE4B-4EE4-95F0-D8EA749AA4CF", "versionEndExcluding": "0.11.4", "versionStartIncluding": "0.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}