Kwik Hash Collision Vulnerability Leading to Denial-of-Service

A hash collision vulnerability has been identified in Kwik versions prior to 0.10.1. This vulnerability allows remote attackers to cause a significant CPU load on the server by initiating connections with colliding Source Connection IDs (SCIDs), leading to a Hash Denial-of-Service (DoS) attack. The issue arises from the hash table used to manage connections, which becomes inefficient when handling collisions, causing increased computational overhead on the server.

Impact

Exploitation of this vulnerability causes a substantial slowdown of the server, with some libraries experiencing a 300-fold decrease in performance when handling a large number of parallel connections. This slowdown occurs because the server must spend considerable processing power managing the colliding connection IDs, effectively stalling operations by forcing the server to deal with the computationally intensive task of resolving hash collisions.

Reproduction

The vulnerability can be reproduced by sending connection requests to a Kwik server using colliding Source Connection IDs. This can be achieved by selecting SCIDs that are known to produce collisions under the hash function used by the server's hash table implementation. Once the server receives these colliding SCIDs, it will experience a Hash DoS attack, struggling to process the influx of connections efficiently.

Remediation

Users can upgrade to Kwik version 0.10.1 or later, where this vulnerability has been fixed.