CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests...

The vulnerability (CVE-2024-24989) is described as a condition where undisclosed requests can cause Nginx worker processes to terminate when the HTTP/3 QUIC module is used, and it's classified as a CWE-476 (NULL Pointer Dereference). The provided information indicates that nginx version 1.25.4 fixes this issue, which affected versions 1.25.0 - 1.25.3.

By comparing the commits between release-1.25.3 and release-1.25.4 of the nginx/nginx repository, I identified relevant commits related to QUIC. Specifically, commit 5902baf680609f884a1e11ff2b82a0bffb3724cc titled "QUIC: trial packet decryption in response to invalid key update" directly addresses a segfault (a common result of NULL pointer dereferences) when accessing missing next keys in the ngx_quic_decrypt function within src/event/quic/ngx_event_quic_protection.c. The patch explicitly adds a NULL check (if (pkt->keys->next_key.client.ctx != NULL)) before accessing pkt->keys->next_key.client, which is a clear indication of fixing a NULL pointer dereference vulnerability.

The oss-security mailing list also confirms that CVE-2024-24989 was fixed in nginx 1.25.4 and was related to a worker process crash in the HTTP/3 QUIC implementation.

Another commit, 5818f8a6693b3c0d95021f2ee58b69dcf848911c, fixed a double-free in ngx_quic_stream_cleanup_handler. While this also causes a crash, CVE-2024-24989 is specifically identified as a NULL Pointer Dereference (CWE-476). The advisory mentions two CVEs (CVE-2024-24989 and CVE-2024-24990) fixed in 1.25.4. It is most likely that the NULL pointer dereference fix in ngx_quic_decrypt corresponds to CVE-2024-24989.

Therefore, ngx_quic_decrypt is identified as the vulnerable function based on the direct evidence in the patch and the nature of the vulnerability (NULL pointer dereference leading to a crash).