Vulnerability-Lookup

CVE-2024-53259 (GCVE-0-2024-53259)

Vulnerability from cvelistv5 – Published: 2024-12-02 16:12 – Updated: 2024-12-02 19:28

Title

quic-go affected by an ICMP Packet Too Large Injection Attack on Linux

Summary

quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker needs to at least know the client's IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/quic-go/quic-go/security/advis…	x_refsource_CONFIRM
	https://github.com/quic-go/quic-go/pull/4729	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/ca31dd3…	x_refsource_MISC
	https://github.com/quic-go/quic-go/releases/tag/v0.48.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	quic-go	quic-go	Affected: < 0.48.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53259",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-02T19:27:58.329919Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-02T19:28:08.531Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "quic-go",
          "vendor": "quic-go",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.48.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-02T16:12:40.605Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr"
        },
        {
          "name": "https://github.com/quic-go/quic-go/pull/4729",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/pull/4729"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50"
        },
        {
          "name": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2"
        }
      ],
      "source": {
        "advisory": "GHSA-px8v-pp82-rcvr",
        "discovery": "UNKNOWN"
      },
      "title": "quic-go affected by an ICMP Packet Too Large Injection Attack on Linux"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53259",
    "datePublished": "2024-12-02T16:12:40.605Z",
    "dateReserved": "2024-11-19T20:08:14.480Z",
    "dateUpdated": "2024-12-02T19:28:08.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53259\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T19:27:58.329919Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T19:28:03.726Z\"}}], \"cna\": {\"title\": \"quic-go affected by an ICMP Packet Too Large Injection Attack on Linux\", \"source\": {\"advisory\": \"GHSA-px8v-pp82-rcvr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"quic-go\", \"product\": \"quic-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.48.2\"}]}], \"references\": [{\"url\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr\", \"name\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/quic-go/quic-go/pull/4729\", \"name\": \"https://github.com/quic-go/quic-go/pull/4729\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50\", \"name\": \"https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/releases/tag/v0.48.2\", \"name\": \"https://github.com/quic-go/quic-go/releases/tag/v0.48.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \\\"message too large\\\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-02T16:12:40.605Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53259\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T19:28:08.531Z\", \"dateReserved\": \"2024-11-19T20:08:14.480Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-02T16:12:40.605Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-1092

Vulnerability from certfr_avis - Published: 2024-12-18 - Updated: 2024-12-18

Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Traefik	Traefik	Traefik versions 3.x antérieures à 3.2.2
	Traefik	Traefik	Traefik versions 2.x antérieures à 2.11.15

References

Title

Publication Time

Tags

Bulletin de sécurité Traefik GHSA-hxr6-2p24-hf98

2024-12-17

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Traefik versions 3.x ant\u00e9rieures \u00e0 3.2.2",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    },
    {
      "description": "Traefik versions 2.x ant\u00e9rieures \u00e0 2.11.15",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-53259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53259"
    }
  ],
  "initial_release_date": "2024-12-18T00:00:00",
  "last_revision_date": "2024-12-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-1092",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-12-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Traefik. Elle permet \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Traefik",
  "vendor_advisories": [
    {
      "published_at": "2024-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-hxr6-2p24-hf98",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-hxr6-2p24-hf98"
    }
  ]
}

CERTFR-2025-AVI-0473

Vulnerability from certfr_avis - Published: 2025-06-03 - Updated: 2025-06-03

De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2411.x antérieures à 9.3.2411.102
Splunk	Universal Forwarder	Universal Forwarder versions 9.3.x antérieures à 9.3.4
Splunk	Universal Forwarder	Universal Forwarder versions 9.2.x antérieures à 9.2.6
Splunk	Universal Forwarder	Universal Forwarder versions 9.4.x antérieures à 9.4.2
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.1.x antérieures à 9.1.9
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2408.x antérieures à 9.3.2408.111
Splunk	Universal Forwarder	Universal Forwarder versions 9.1.x antérieures à 9.1.9
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.4.x antérieures à 9.4.2
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2406.x antérieures à 9.3.2406.118
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.2.x antérieures à 9.2.6
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.3.x antérieures à 9.3.4

References

Title

Publication Time

Tags

Bulletin de sécurité Splunk SVD-2025-0602	2025-06-02	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0603	2025-06-02	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0601	2025-06-02	vendor-advisory
Bulletin de sécurité Splunk SVD-2025-0604	2025-06-02	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Splunk Cloud Platform versions 9.3.2411.x ant\u00e9rieures \u00e0 9.3.2411.102",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Universal Forwarder versions 9.3.x ant\u00e9rieures \u00e0 9.3.4",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Universal Forwarder versions 9.2.x ant\u00e9rieures \u00e0 9.2.6",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Universal Forwarder versions 9.4.x ant\u00e9rieures \u00e0 9.4.2",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.1.x ant\u00e9rieures \u00e0 9.1.9",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Cloud Platform versions 9.3.2408.x ant\u00e9rieures \u00e0 9.3.2408.111",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Universal Forwarder versions 9.1.x ant\u00e9rieures \u00e0 9.1.9",
      "product": {
        "name": "Universal Forwarder",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.4.x ant\u00e9rieures \u00e0 9.4.2",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Cloud Platform versions 9.3.2406.x ant\u00e9rieures \u00e0 9.3.2406.118",
      "product": {
        "name": "Splunk Cloud Platform",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.2.x ant\u00e9rieures \u00e0 9.2.6",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    },
    {
      "description": "Splunk Enterprise versions 9.3.x ant\u00e9rieures \u00e0 9.3.4",
      "product": {
        "name": "Splunk Enterprise",
        "vendor": {
          "name": "Splunk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-24790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
    },
    {
      "name": "CVE-2024-53259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53259"
    },
    {
      "name": "CVE-2025-20298",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20298"
    },
    {
      "name": "CVE-2024-24791",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
    },
    {
      "name": "CVE-2024-35255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35255"
    },
    {
      "name": "CVE-2024-34158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
    },
    {
      "name": "CVE-2024-28180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2025-22869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
    },
    {
      "name": "CVE-2022-31159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31159"
    },
    {
      "name": "CVE-2025-20297",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-20297"
    },
    {
      "name": "CVE-2024-3651",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
    },
    {
      "name": "CVE-2024-34155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
    },
    {
      "name": "CVE-2024-24789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24789"
    }
  ],
  "initial_release_date": "2025-06-03T00:00:00",
  "last_revision_date": "2025-06-03T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0473",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-06-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
  "vendor_advisories": [
    {
      "published_at": "2025-06-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0602",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0602"
    },
    {
      "published_at": "2025-06-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0603",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0603"
    },
    {
      "published_at": "2025-06-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0601",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0601"
    },
    {
      "published_at": "2025-06-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0604",
      "url": "https://advisory.splunk.com/advisories/SVD-2025-0604"
    }
  ]
}

CVE-2024-53259

Vulnerability from fstec - Published: 19.11.2024

Title

Уязвимость реализации протокола QUIC библиотеки quic-go языка программирования go, связанная с недостаточной проверкой подлинности данных, позволяющая нарушителю оказать влияние на доступность защищаемой информации

Description

Уязвимость реализации протокола QUIC библиотеки quic-go языка программирования go связана с недостаточной проверкой подлинности данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, оказать влияние на доступность защищаемой информации

Severity ?


                    
                      AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

Red Hat Inc., АО «ИВК», Сообщество свободного программного обеспечения

Software Name

Openshift Service Mesh, Red Hat Advanced Cluster Management for Kubernetes, Red Hat OpenShift Container Platform, Red Hat Ansible Automation Platform, Red Hat OpenShift Dev Spaces, АЛЬТ СП 10, Quic-Go

Software Version

2 (Openshift Service Mesh), 2 (Red Hat Advanced Cluster Management for Kubernetes), 4 (Red Hat OpenShift Container Platform), 2 (Red Hat Ansible Automation Platform), - (Red Hat OpenShift Dev Spaces), - (АЛЬТ СП 10), до 0.48.2 (Quic-Go)

Possible Mitigations

Использование рекомендаций: https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 https://github.com/quic-go/quic-go/pull/4729 https://github.com/quic-go/quic-go/releases/tag/v0.48.2 https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2024-53259 Для ОС АЛЬТ СП 10: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/

Reference

https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 https://github.com/quic-go/quic-go/pull/4729 https://github.com/quic-go/quic-go/releases/tag/v0.48.2 https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr https://access.redhat.com/security/cve/cve-2024-53259 https://altsp.su/obnovleniya-bezopasnosti/

CWE

CWE-345

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
  "CVSS 3.0": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "2 (Openshift Service Mesh), 2 (Red Hat Advanced Cluster Management for Kubernetes), 4 (Red Hat OpenShift Container Platform), 2 (Red Hat Ansible Automation Platform), - (Red Hat OpenShift Dev Spaces), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), \u0434\u043e 0.48.2 (Quic-Go)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50\t\nhttps://github.com/quic-go/quic-go/pull/4729\t\nhttps://github.com/quic-go/quic-go/releases/tag/v0.48.2\t\nhttps://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2024-53259\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u041b\u042c\u0422 \u0421\u041f 10: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "19.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.06.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.12.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-10806",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-53259",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Openshift Service Mesh, Red Hat Advanced Cluster Management for Kubernetes, Red Hat OpenShift Container Platform, Red Hat Ansible Automation Platform, Red Hat OpenShift Dev Spaces, \u0410\u041b\u042c\u0422 \u0421\u041f 10, Quic-Go",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 QUIC \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 quic-go \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f go, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043b\u0438\u044f\u043d\u0438\u0435 \u043d\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-345)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 QUIC \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 quic-go \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f go \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043b\u0438\u044f\u043d\u0438\u0435 \u043d\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50\t\nhttps://github.com/quic-go/quic-go/pull/4729\t\nhttps://github.com/quic-go/quic-go/releases/tag/v0.48.2\t\nhttps://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr\nhttps://access.redhat.com/security/cve/cve-2024-53259\nhttps://altsp.su/obnovleniya-bezopasnosti/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-345",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,1)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

GHSA-PX8V-PP82-RCVR

Vulnerability from github – Published: 2024-12-02 17:28 – Updated: 2024-12-04 22:16

Summary

quic-go affected by an ICMP Packet Too Large Injection Attack on Linux

Details

Impact

An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.

By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).

As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).

Patches

The fix is easy: Use IP_PMTUDISC_PROBE instead of IP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.

Has the problem been patched? What versions should users upgrade to?

Fixed in https://github.com/quic-go/quic-go/pull/4729 Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Use iptables to drop ICMP Unreachable packets.

References

Are there any links users can visit to find out more?

This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.0 (Medium)


                  
                    CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.48.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:28:14Z",
    "nvd_published_at": "2024-12-02T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a \"message too large\" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.\n\nBy setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection).\n\nAs far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client\u0027s IP and port tuple to mount an attack (assuming that it knows the server\u0027s IP and port).\n\n### Patches\n\nThe fix is easy: Use `IP_PMTUDISC_PROBE` instead of `IP_PMTUDISC_DO`. This socket option only sets the DF bit, but disables the kernel\u0027s MTU tracking.\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in https://github.com/quic-go/quic-go/pull/4729\nReleased in https://github.com/quic-go/quic-go/releases/tag/v0.48.2\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nUse iptables to drop ICMP Unreachable packets.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\nThis bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/\n",
  "id": "GHSA-px8v-pp82-rcvr",
  "modified": "2024-12-04T22:16:38Z",
  "published": "2024-12-02T17:28:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53259"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/pull/4729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/quic-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "quic-go affected by an ICMP Packet Too Large Injection Attack on Linux"
}

FKIE_CVE-2024-53259

Vulnerability from fkie_nvd - Published: 2024-12-02 17:15 - Updated: 2024-12-02 17:15

Severity ?

6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
	security-advisories@github.com	https://github.com/quic-go/quic-go/pull/4729
	security-advisories@github.com	https://github.com/quic-go/quic-go/releases/tag/v0.48.2
	security-advisories@github.com	https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a \"message too large\" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection). The attacker needs to at least know the client\u0027s IP and port tuple to mount an attack. This vulnerability is fixed in 0.48.2."
    },
    {
      "lang": "es",
      "value": "quic-go es una implementaci\u00f3n del protocolo QUIC en Go. Un atacante que no se encuentre en la ruta de acceso puede inyectar un paquete ICMP de tama\u00f1o excesivo. Dado que las versiones de quic-go afectadas utilizan IP_PMTUDISC_DO, el n\u00facleo devolver\u00eda un error de \"mensaje demasiado grande\" en sendmsg, es decir, cuando quic-go intenta enviar un paquete que excede la MTU indicada en ese paquete ICMP. Al establecer este valor en un valor menor a 1200 bytes (la MTU m\u00ednima para QUIC), el atacante puede interrumpir una conexi\u00f3n QUIC. Fundamentalmente, esto se puede hacer despu\u00e9s de completar el protocolo de enlace, evitando as\u00ed cualquier respaldo TCP que pueda implementarse en la capa de aplicaci\u00f3n (por ejemplo, muchos navegadores recurren a HTTP sobre TCP si no pueden establecer una conexi\u00f3n QUIC). El atacante necesita al menos conocer la IP del cliente y la tupla de puertos para montar un ataque. Esta vulnerabilidad se corrigi\u00f3 en 0.48.2."
    }
  ],
  "id": "CVE-2024-53259",
  "lastModified": "2024-12-02T17:15:12.767",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-02T17:15:12.767",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quic-go/quic-go/pull/4729"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53259 (GCVE-0-2024-53259)

CERTFR-2024-AVI-1092

Solutions

CERTFR-2025-AVI-0473

Solutions

CVE-2024-53259

GHSA-PX8V-PP82-RCVR

Impact

Patches

Workarounds

References

FKIE_CVE-2024-53259

Tags

Sightings

Nomenclature