cve-2024-53259
Vulnerability from cvelistv5
Published
2024-12-02 16:12
Modified
2024-12-02 19:28
Severity ?
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
References
security-advisories@github.comhttps://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
security-advisories@github.comhttps://github.com/quic-go/quic-go/pull/4729
security-advisories@github.comhttps://github.com/quic-go/quic-go/releases/tag/v0.48.2
security-advisories@github.comhttps://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53259",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-02T19:27:58.329919Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-02T19:28:08.531Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "quic-go",
          "vendor": "quic-go",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.48.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-02T16:12:40.605Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr"
        },
        {
          "name": "https://github.com/quic-go/quic-go/pull/4729",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/pull/4729"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50"
        },
        {
          "name": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2"
        }
      ],
      "source": {
        "advisory": "GHSA-px8v-pp82-rcvr",
        "discovery": "UNKNOWN"
      },
      "title": "quic-go affected by an ICMP Packet Too Large Injection Attack on Linux"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53259",
    "datePublished": "2024-12-02T16:12:40.605Z",
    "dateReserved": "2024-11-19T20:08:14.480Z",
    "dateUpdated": "2024-12-02T19:28:08.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53259\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-02T17:15:12.767\",\"lastModified\":\"2024-12-02T17:15:12.767\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \\\"message too large\\\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.\"},{\"lang\":\"es\",\"value\":\"quic-go es una implementaci\u00f3n del protocolo QUIC en Go. Un atacante que no se encuentre en la ruta de acceso puede inyectar un paquete ICMP de tama\u00f1o excesivo. Dado que las versiones de quic-go afectadas utilizan IP_PMTUDISC_DO, el n\u00facleo devolver\u00eda un error de \\\"mensaje demasiado grande\\\" en sendmsg, es decir, cuando quic-go intenta enviar un paquete que excede la MTU indicada en ese paquete ICMP. Al establecer este valor en un valor menor a 1200 bytes (la MTU m\u00ednima para QUIC), el atacante puede interrumpir una conexi\u00f3n QUIC. Fundamentalmente, esto se puede hacer despu\u00e9s de completar el protocolo de enlace, evitando as\u00ed cualquier respaldo TCP que pueda implementarse en la capa de aplicaci\u00f3n (por ejemplo, muchos navegadores recurren a HTTP sobre TCP si no pueden establecer una conexi\u00f3n QUIC). El atacante necesita al menos conocer la IP del cliente y la tupla de puertos para montar un ataque. Esta vulnerabilidad se corrigi\u00f3 en 0.48.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"references\":[{\"url\":\"https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quic-go/quic-go/pull/4729\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quic-go/quic-go/releases/tag/v0.48.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.