-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Retention of Unused Encryption Keys #345
Comments
Hi @yangfurong @Kulsk , How is the progress on resolving this vulnerability? We reported this bug via the MITRE CVE program today (although we know that Alibaba is a CNA partner). We believe this is a vulnerability that should be addressed (as described in RFC 9001 https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys) and prioritized. If you need help in reproducing the vulnerability, please let us know. At a minimum, we would like an acknowledgment of our findings. Thank you. |
What happened?
I am a member of a group investigating automated testing of QUIC protocol implementations. During our tests involving a XQUIC implementation with the commit version 00f6228, we identified 1 fault:
The unused encryption keys, such as the Initial key, should be discarded once QUIC has moved to the Handshake encryption level (https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys), same as the Handshake key after moving to the 1-RTT encryption level. An attacker can obtain the Initial key by capturing the Initial packets sent between the client and server during the connection establishment. If the server/client still accepts and processes Initial packets after they moved to the Handshake encryption level (after the server processes the first Handshake packet from the client), an attacker can disrupt the connection by sending a CONNECTION_CLOSE frame in an Initial packet to the server/client, causing a connection close that is not initiated by either the client or the server (DoS attack).
We believe this is a security vulnerability (according to the threat model in RFC9500) and we have sent our report to [email protected] and [email protected] 3 months ago (7 July 2023). However, we still haven't get any reply yet. We have also reported on 19 October 2023 and 2 February 2024. However, there is no progress in addressing this vulnerability.
Thank you for your time.
Steps To Reproduce
For Initial key:
This also applies to Handshake keys:
Relevant log output
No response
The text was updated successfully, but these errors were encountered: