logo

Database

Asymmetric denial of service In github.com/apernet/hysteria/core/v2

Description

Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled

Summary

A specially constructed quic package can crash the server OOM when the sniff is enabled.

Details

When the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to this length, causing an OOM.

PoC

openssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj "/CN=localhost" 2>/dev/null

server.yaml

listen: :8443
tls:
  cert: localhost.crt
  key: localhost.key
auth:
  type: password
  password: mypassword
sniff:...

poc.go

package main

import (
	"flag"
	"fmt"
	"log"
	"net"
	"time"...

Impact

When sniffing is enabled on the server, a user with a valid password can launch an attack that could cause the server to run out of memory (OOM).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-9fw6-xgg2-mq9q2. GCVE-GHSA-9fw6-xgg2-mq9q

References

1. https://github.com/apernet/hysteria/security/advisories/GHSA-9fw6-xgg2-mq9q

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.