Bug 1222487 - VUL-0: CVE-2024-22189: syncthing: quic-go: memory exhaustion attack against QUIC's connection ID mechanism
Summary: VUL-0: CVE-2024-22189: syncthing: quic-go: memory exhaustion attack against Q...
Status: IN_PROGRESS
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Alexei Sorokin
QA Contact: E-mail List
URL: https://smash.suse.de/issue/400376/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-22189
  Show dependency treegraph
 
Reported: 2024-04-08 15:06 UTC by Camila Camargo de Matos
Modified: 2024-04-10 12:51 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-04-08 15:06:17 UTC 
+++ This bug was initially created as a clone of Bug #1222461 +++

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22189
https://www.cve.org/CVERecord?id=CVE-2024-22189
https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478
https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s
https://bugzilla.redhat.com/show_bug.cgi?id=2273513
Comment 1 Camila Camargo de Matos 2024-04-08 15:06:44 UTC 
Go module quic-go is affected by CVE-2024-22189 and this module is embedded in openSUSE:Factory/syncthing (quic-go version 0.41.0).
Comment 2 Marius Kittler 2024-04-08 15:47:24 UTC 
Upstream has already updated the dependency:
https://patch-diff.githubusercontent.com/raw/syncthing/syncthing/pull/9497.patch

The packaging of Syncthing relies on upstream's vendoring so we cannot just apply this patch.

Therefore I suppose it would be the easiest to wait for the next upstream release or to package
https://github.com/syncthing/syncthing/releases/tag/v1.27.6-rc.2 which seems to be already at `github.com/quic-go/quic-go v0.42.0`.
Comment 3 Marius Kittler 2024-04-09 09:29:03 UTC 
Upstream has just created a new release and judging by the contained go.mod file it contains the fixed quic-go version. So I'm just updating the package to that version.
Comment 4 Marius Kittler 2024-04-09 09:33:05 UTC 
https://build.opensuse.org/request/show/1166340
Comment 5 Marius Kittler 2024-04-10 12:51:52 UTC 
The SR has been merged so from my side this is resolved.