Last active
May 26, 2024 02:58
-
-
Save QUICTester/29a1851c2b2a406411f688735526fe2e to your computer and use it in GitHub Desktop.
Retention of unused encryption keys in Kwik server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This Vulnerability was found in Kwik (https://github.com/ptrd/kwik). | |
| Found in commit 745fd4e2d8d104b9cf1e8342d150ff8967c65892 | |
| Fixed in commit 040b0d1327bfb0a8e35c23c2bd612a4a39b721d4 | |
| Affected Component: Client-Server QUIC connections. | |
| Attack Type: Remote | |
| Impact Denial of Service: True | |
| Vulnerability details: | |
| Retention of unused Initial encryption keys in https://github.com/ptrd/kwik (commit 745fd4e) implementation allows attackers to disrupt a connection (DoS) by sending a CONNECTION_CLOSE frame that is encrypted using the Initial key computed via network traffic sniffing. | |
| This is because the Initial key is not authenticated as explained in https://www.rfc-editor.org/rfc/rfc9001.html#name-discarding-initial-keys. | |
| Exploitation steps: | |
| 1) Attackers must be able to sniff the network traffic. | |
| 2) Capture the first QUIC packets sent by a QUIC client. | |
| 3) Compute the Initial encryption key as described in https://www.rfc-editor.org/rfc/rfc9001.html#name-keys | |
| 4) Send a CONNECTION_CLOSE frame to the server in an initial packet encrypted using the computed initial encryption key. | |
| 5) Because the server does not discard the Initial keys, it will decrypt and process the Initial packet sent in (4) even after the QUIC handshake is completed. | |
| Reference: | |
| https://github.com/ptrd/kwik/issues/31 | |
| https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment