CVE-2024-53259
📋 TL;DR
An off-path attacker can disrupt QUIC connections by injecting forged ICMP Packet Too Large packets, forcing the connection to use smaller MTU sizes than QUIC's 1200-byte minimum. This affects systems using quic-go versions before 0.48.2. The attack can occur after handshake completion, bypassing TCP fallback mechanisms used by applications like web browsers.
💻 Affected Systems
- quic-go
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Persistent denial of service for QUIC connections, forcing applications to fall back to TCP with performance degradation or connection failures.
Likely Case
Intermittent connection disruption and performance degradation for QUIC-enabled services.
If Mitigated
Minimal impact with proper network filtering and updated software.
🎯 Exploit Status
Attacker needs to know client IP and port, and be able to inject ICMP packets. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.48.2
Vendor Advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
Restart Required: Yes
Instructions:
1. Update quic-go to version 0.48.2 or later using 'go get github.com/quic-go/quic-go@v0.48.2'. 2. Rebuild and redeploy applications using quic-go. 3. Restart affected services.
🔧 Temporary Workarounds
ICMP Filtering
linuxBlock or rate-limit incoming ICMP Packet Too Large messages at network perimeter.
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j DROP
🧯 If You Can't Patch
- Implement network filtering to block or validate ICMP Packet Too Large messages
- Monitor for unusual connection disruptions and implement rate limiting on QUIC connections
🔍 How to Verify
Check if Vulnerable:
Check quic-go version in go.mod or via 'go list -m github.com/quic-go/quic-go'Check Version:
go list -m github.com/quic-go/quic-goVerify Fix Applied:
Confirm version is 0.48.2 or later and test QUIC connection stability under network stress📡 Detection & Monitoring
Log Indicators:
- Frequent 'message too large' errors in application logs
- QUIC connection resets or fallbacks to TCP
Network Indicators:
- Unusual ICMP Packet Too Large messages from unexpected sources
- QUIC packet size reductions below 1200 bytes
SIEM Query:
source="application_logs" AND ("message too large" OR "QUIC connection reset")