CVE-2024-1410

Name of the Vulnerable Software and Affected Versions Quiche versions prior to 0.19.2 Quiche versions prior to 0.20.1

Description The issue is related to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Each QUIC connection possesses a set of connection Identifiers (IDs). Endpoints declare the number of active connection IDs they are willing to support using the active connection id limit transport parameter. The peer can create new IDs using a "NEW CONNECTION ID" frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends "NEW CONNECTION ID" includes a value in the retire prior to field, which elicits a "RETIRE CONNECTION ID" frame as confirmation. An unauthenticated remote attacker can exploit the issue by sending "NEW CONNECTION ID" frames and manipulating the connection so that "RETIRE CONNECTION ID" frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue.

Recommendations For versions prior to 0.19.2, update to version 0.19.2 or later. For versions prior to 0.20.1, update to version 0.20.1 or later. As a temporary workaround, consider restricting the peer's congestion window size to minimize the risk of exploitation. Avoid using the retire prior to field in the "NEW CONNECTION ID" frame until the issue is resolved.