#VU101816 Insufficient verification of data authenticity in quic-go - CVE-2024-53259
Vulnerability identifier: #VU101816
Vulnerability risk: Medium
CVSSv4.0: [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-345
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
quic-go
Universal components / Libraries /
Libraries used by multiple products
Vendor: quic-go
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient verification of data authenticity when processing ICMP packets. A remote attacker can inject an ICMP Packet Too Large packet in the communication between the target host and the application and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
quic-go: 0.4, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0 - 0.10.2, 0.11.0 - 0.11.2, 0.12.0 - 0.12.1, 0.13.0 - 0.13.1, 0.14.0 - 0.14.4, 0.15.0 - 0.15.8, 0.16.0 - 0.16.2, 0.17.0 - 0.17.3, 0.18.0 - 0.18.1, 0.19.0 - 0.19.3, 0.20.0 - 0.20.1, 0.21 - 0.21.2, 0.22.0 - 0.22.1, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0 - 0.27.2, 0.28.0 - 0.28.1, 0.29.0 - 0.29.2, 0.30.0, 0.31.0 - 0.31.1, 0.32.0, 0.33.0 - 0.33.1, 0.34.0, 0.35.0 - 0.35.1, 0.36.0 - 0.36.4, 0.37.0 - 0.37.7, 0.38.0 - 0.38.2, 0.39.0 - 0.39.4, 0.40.0 - 0.40.1, 0.41.0, 0.42.0, 0.43.0 - 0.43.1, 0.44.0, 0.45.0 - 0.45.2, 0.46.0, 0.47.0, 0.48.0 - 0.48.1
External links
http://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
http://github.com/quic-go/quic-go/pull/4729
http://github.com/quic-go/quic-go/releases/tag/v0.48.2
http://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
