Attack Chain

1. The attacker obtains a valid username and password for the Hysteria server.
2. The attacker connects to the Hysteria server using a Hysteria client.
3. The attacker establishes a UDP connection through the Hysteria client.
4. The attacker crafts a malicious QUIC packet designed to trigger excessive memory allocation. The packet contains a large crypto length field.
5. The attacker sends the malicious QUIC packet to the Hysteria server via the established UDP connection.
6. The Hysteria server receives the malicious QUIC packet and processes it due to the ‘sniff’ option being enabled.
7. The server attempts to allocate memory based on the oversized crypto length specified in the malicious packet.
8. The server exhausts available memory, resulting in an out-of-memory (OOM) condition and a denial-of-service state.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service (DoS) condition on the Hysteria server. All users relying on the server for network connectivity will experience disruption. The vulnerability requires a valid username and password, limiting the scope of potential attackers, but the impact on availability is significant. This vulnerability affects any Hysteria server with the ‘sniff’ option enabled.

Recommendation

• Upgrade to Hysteria version 2.8.2 or later to patch the vulnerability.
• Disable the sniff option in the Hysteria server configuration (server.yaml) if it is not essential for your deployment to prevent this attack.
• Deploy the Sigma rule “Detect Hysteria Malicious QUIC Packet” to identify potential exploitation attempts by monitoring for unusually large packet sizes on UDP connections (see ‘rules’ section).
• Monitor server resource utilization, especially memory consumption, for anomalies that may indicate an ongoing attack.