CVE-2024-53259

{"id": "CVE-2024-53259", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-12-02T17:15:12.767", "references": [{"url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50", "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/quic-go/pull/4729", "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr", "source": "security-advisories@github.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2."}, {"lang": "es", "value": "quic-go es una implementaci\u00f3n del protocolo QUIC en Go. Un atacante que no se encuentre en la ruta de acceso puede inyectar un paquete ICMP de tama\u00f1o excesivo. Dado que las versiones de quic-go afectadas utilizan IP_PMTUDISC_DO, el n\u00facleo devolver\u00eda un error de \"mensaje demasiado grande\" en sendmsg, es decir, cuando quic-go intenta enviar un paquete que excede la MTU indicada en ese paquete ICMP. Al establecer este valor en un valor menor a 1200 bytes (la MTU m\u00ednima para QUIC), el atacante puede interrumpir una conexi\u00f3n QUIC. Fundamentalmente, esto se puede hacer despu\u00e9s de completar el protocolo de enlace, evitando as\u00ed cualquier respaldo TCP que pueda implementarse en la capa de aplicaci\u00f3n (por ejemplo, muchos navegadores recurren a HTTP sobre TCP si no pueden establecer una conexi\u00f3n QUIC). El atacante necesita al menos conocer la IP del cliente y la tupla de puertos para montar un ataque. Esta vulnerabilidad se corrigi\u00f3 en 0.48.2."}], "lastModified": "2024-12-02T17:15:12.767", "sourceIdentifier": "security-advisories@github.com"}