Fluid Attacks Database

Description

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/quic-go/quic-go	>=0 <0.42.0	0.42.0
debian 12	golang-github-lucas-clemente-quic-go	=0.29.0-1 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 13	golang-github-lucas-clemente-quic-go	>=0 <0.46.0-1	0.46.0-1
debian 11	golang-github-lucas-clemente-quic-go	=0.19.3-1 \|\| =0.24.0-1 \|\| =0.25.0-1 \|\| =0.26.0-1 \|\| =0.26.0-1~bpo11+1 \|\| =0.29.0-1 \|\| =0.29.0-1~bpo11+1 \|\| =0.29.0-1~bpo11+2 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 14	golang-github-lucas-clemente-quic-go	>=0 <0.46.0-1	0.46.0-1

Aliases

1. CVE-2024-221892. NVD-2024-221893. OSV-2024-221894. OSV-DEBIAN-2024-221895. GHSA-c33x-xqrf-c4786. GCVE-2024-221897. SECURITY-TRACKER-CVE-2024-22189

References

1. https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c4782. https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a3. https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management4. https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.