h2o HTTP Server Uninitialized Memory Access Vulnerability in QUIC Frame Handling

A vulnerability exists in the h2o HTTP server's QUIC frame handling in the HTTP/3 server-side implementation, specifically in the code between commits 93af138 and d1f0f65. This vulnerability allows for uninitialized memory to be accessed and potentially misinterpreted as received HTTP/3 frames. When h2o is used as a reverse proxy, an attacker could exploit this to send internal state information from h2o to backend servers under their control or to third-party servers. Additionally, if there is an HTTP endpoint that reflects client traffic, this vulnerability could be used to extract unencrypted internal state data from h2o, including TLS session tickets and traffic from other connections. It is important to note that none of the released versions of h2o are affected by this vulnerability, and there are no known workarounds. Users of unreleased versions of h2o with HTTP/3 support should upgrade immediately.

Impact

Exploitation of this vulnerability allows for unauthorized access to uninitialized memory, which can be misrepresented as legitimate HTTP/3 frames. This could lead to the unauthorized transmission of sensitive internal state information from the h2o server to backend servers, including unencrypted traffic from other connections and TLS session tickets. In a reverse proxy scenario, this internal state could be sent to an attacker's controlled backend server or a third-party server.

Remediation

Users of unreleased versions of h2o with HTTP/3 support should upgrade to the version that includes the patch for this vulnerability, available in the commit 8c0eca3.