7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45311

GHSA ID

GHSA-vr26-jcq5-fjj8

EPSS Score

0.34359%

CWE

CWE-670

Published

9/3/2024

Updated

9/9/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45311

CVE-2024-45311: Denial of service in quinn-proto when using `Endpoint::retry()`

Summary

As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations:

Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received
- This issue can go undetected until a server's refuse()/ignore() code path is exercised, such as to stop a denial of service attack.
Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received.
- This issue can go undetected if clients are well-behaved.

The former situation was observed in a real application, while the latter is only theoretical.

Details

Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213

Impact

Denial of service for internet-facing server

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45311

GHSA ID

GHSA-vr26-jcq5-fjj8

EPSS Score

0.34359%

CWE

CWE-670

Published

9/3/2024

Updated

9/9/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
quinn-proto	rust	>= 0.11.0, < 0.11.7	0.11.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper CID handling in connection state management. Key issues were:

clean_up_incoming used orig_dst_cid instead of current packet's dst_cid
remove_initial didn't validate CID length or existence
The retry path combined these issues by creating state mismatches Commit changes show fixes to use packet.header.dst_cid, add CID length checks, and insert debug assertions - confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *s o* quinn-proto *.**, it is possi*l* *or * s*rv*r to `****pt()`, `r*try()`, `r**us*()`, or `i*nor*()` *n `In*omin*` *onn**tion. *ow*v*r, **llin* `r*try()` on *n unv*li**t** *onn**tion *xpos*s t** s*rv*r to * lik*ly p*ni* in t** *ollowi

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *I* **n*lin* in *onn**tion st*t* m*n***m*nt. K*y issu*s w*r*: *. *l**n_up_in*omin* us** ori*_*st_*i* inst*** o* *urr*nt p**k*t's *st_*i* *. r*mov*_initi*l *i*n't v*li**t* *I* l*n*t* or *xist*n** *. T** r*try p*

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-45311: Denial of service in quinn-proto when using `Endpoint::retry()`

Summary

Details

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI