QUICTester/gist:ea3eb2ac736bb63e47c654e14e3ec556

## gistfile1.txt
This vulnerability was found in Kwik (https://github.com/ptrd/kwik) which is using Agent15 (https://github.com/ptrd/agent15)
as the TLS engine.

For Kwik (QUIC implementation):
Found in 745fd4e2d8d104b9cf1e8342d150ff8967c65892
Fixed in 11862d54d72de63abd0b76ca6bb9df56e634212c

For Agent15 (TLS implementation):
Found in bcaf02e6f75cc14b1aff7cbaa8ea28188f1398b0
Fixed in d6b46538cbfd60a66ef58848212ec2204d00e535

Affected Component: Client-Server QUIC connections.
Attack Type: Remote
Impact: Denial of Service and potential connection hijack.

Vulnerability details:
The TLS engine (Agent 15) Kwik uses does not have a state machine. In other words, the TLS engine does not track the current
state of the connection. If a Client Hello TLS message is sent twice, the cryptographic parameter in the latter Client Hello
will overwrite the previously computed cryptographic parameter from the first Client Hello message. The overwrite behavior
can happen at any connection state, including after the connection is established. This also applies to the Finished TLS
message.
Combine with CVE-2024-22588 (https://nvd.nist.gov/vuln/detail/CVE-2024-22588), An attacker can use the unused Initial key to
send an Initial packet with a malicous Client Hello TLS message to overwrite victim-server connection parameters and state on
the server. Then, the attacker can potentially hijack the connection from the victim by completing the overwritten connection
with a Finished TLS message.

Exploitation steps:
    1) The attacker must be able to sniff the network traffic.
    2) Capture the first QUIC packets sent by a QUIC client (victim).
    3) Compute the Initial encryption key as described in https://www.rfc-editor.org/rfc/rfc9001.html#name-keys.
    4) Send an Initial packet with a Client Hello TLS message to the server to overwrite the victim's connection parameters
       and state on the server.
    5) Because the server does not discard the Initial keys, it will decrypt and process the Initial packet sent in (4) even
       after the QUIC handshake is completed. This will overwrite the victim-server connection parameters and state on the
       server. The victim is now desynchronised (not able to communicate) with the server.
    6) The attacker may complete the overwritten connection with a Finished TLS message.

Reference:
    https://nvd.nist.gov/vuln/detail/CVE-2024-22588
    https://github.com/ptrd/kwik/issues/32
    https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys
	This vulnerability was found in Kwik (https://github.com/ptrd/kwik) which is using Agent15 (https://github.com/ptrd/agent15)
	as the TLS engine.

	For Kwik (QUIC implementation):
	Found in 745fd4e2d8d104b9cf1e8342d150ff8967c65892
	Fixed in 11862d54d72de63abd0b76ca6bb9df56e634212c

	For Agent15 (TLS implementation):
	Found in bcaf02e6f75cc14b1aff7cbaa8ea28188f1398b0
	Fixed in d6b46538cbfd60a66ef58848212ec2204d00e535

	Affected Component: Client-Server QUIC connections.
	Attack Type: Remote
	Impact: Denial of Service and potential connection hijack.

	Vulnerability details:
	The TLS engine (Agent 15) Kwik uses does not have a state machine. In other words, the TLS engine does not track the current
	state of the connection. If a Client Hello TLS message is sent twice, the cryptographic parameter in the latter Client Hello
	will overwrite the previously computed cryptographic parameter from the first Client Hello message. The overwrite behavior
	can happen at any connection state, including after the connection is established. This also applies to the Finished TLS
	message.
	Combine with CVE-2024-22588 (https://nvd.nist.gov/vuln/detail/CVE-2024-22588), An attacker can use the unused Initial key to
	send an Initial packet with a malicous Client Hello TLS message to overwrite victim-server connection parameters and state on
	the server. Then, the attacker can potentially hijack the connection from the victim by completing the overwritten connection
	with a Finished TLS message.

	Exploitation steps:
	1) The attacker must be able to sniff the network traffic.
	2) Capture the first QUIC packets sent by a QUIC client (victim).
	3) Compute the Initial encryption key as described in https://www.rfc-editor.org/rfc/rfc9001.html#name-keys.
	4) Send an Initial packet with a Client Hello TLS message to the server to overwrite the victim's connection parameters
	and state on the server.
	5) Because the server does not discard the Initial keys, it will decrypt and process the Initial packet sent in (4) even
	after the QUIC handshake is completed. This will overwrite the victim-server connection parameters and state on the
	server. The victim is now desynchronised (not able to communicate) with the server.
	6) The attacker may complete the overwritten connection with a Finished TLS message.

	Reference:
	https://nvd.nist.gov/vuln/detail/CVE-2024-22588
	https://github.com/ptrd/kwik/issues/32
	https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys