{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/quic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hysteria/core/v2 (\u003c= 2.8.1)"],"_cs_severities":["medium"],"_cs_tags":["hysteria","quic","oom","dos"],"_cs_type":"advisory","_cs_vendors":["apernet"],"content_html":"\u003cp\u003eHysteria is a feature-rich network utility optimized for networks experiencing high packet loss. A vulnerability exists in Hysteria versions 2.8.1 and earlier that can be exploited by a user with a valid password. When the \u0026lsquo;sniff\u0026rsquo; option is enabled on the Hysteria server, a malicious actor can send a specially crafted QUIC packet that triggers excessive memory allocation, leading to an out-of-memory (OOM) condition and subsequent denial of service. This attack vector allows a threat actor to exhaust server resources, disrupting legitimate network traffic and potentially impacting all users relying on the affected Hysteria server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains a valid username and password for the Hysteria server.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the Hysteria server using a Hysteria client.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a UDP connection through the Hysteria client.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious QUIC packet designed to trigger excessive memory allocation. The packet contains a large crypto length field.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious QUIC packet to the Hysteria server via the established UDP connection.\u003c/li\u003e\n\u003cli\u003eThe Hysteria server receives the malicious QUIC packet and processes it due to the \u0026lsquo;sniff\u0026rsquo; option being enabled.\u003c/li\u003e\n\u003cli\u003eThe server attempts to allocate memory based on the oversized crypto length specified in the malicious packet.\u003c/li\u003e\n\u003cli\u003eThe server exhausts available memory, resulting in an out-of-memory (OOM) condition and a denial-of-service state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service (DoS) condition on the Hysteria server. All users relying on the server for network connectivity will experience disruption. The vulnerability requires a valid username and password, limiting the scope of potential attackers, but the impact on availability is significant. This vulnerability affects any Hysteria server with the \u0026lsquo;sniff\u0026rsquo; option enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Hysteria version 2.8.2 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003esniff\u003c/code\u003e option in the Hysteria server configuration (\u003ccode\u003eserver.yaml\u003c/code\u003e) if it is not essential for your deployment to prevent this attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Hysteria Malicious QUIC Packet\u0026rdquo; to identify potential exploitation attempts by monitoring for unusually large packet sizes on UDP connections (see \u0026lsquo;rules\u0026rsquo; section).\u003c/li\u003e\n\u003cli\u003eMonitor server resource utilization, especially memory consumption, for anomalies that may indicate an ongoing attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-hysteria-quic-oom/","summary":"A specially constructed QUIC package can crash the Hysteria server due to an out-of-memory (OOM) condition when the 'sniff' option is enabled, leading to a denial of service.","title":"Hysteria Server Out-of-Memory Vulnerability via Malformed QUIC Packet","url":"https://feed.craftedsignal.io/briefs/2024-01-02-hysteria-quic-oom/"}],"language":"en","title":"CraftedSignal Threat Feed — Quic","version":"https://jsonfeed.org/version/1.1"}