Picoquic Hash-Based Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the picoquic QUIC protocol implementation, prior to version 1.1.31.0. The issue arises from the use of a weak hash function in the hash table that manages connections, allowing remote attackers to create a significant CPU load on the server. This is achieved by initiating connections with colliding Source Connection IDs, exploiting the hash table's algorithmic complexity and causing it to process these collisions inefficiently.

Impact

Exploitation of this vulnerability leads to a substantial increase in CPU usage on the server, causing slowdowns of up to 300 times under certain conditions, such as with 10,000 parallel connections from malicious clients.

Reproduction

The vulnerability can be reproduced by sending connection requests with Source Connection IDs that are designed to collide under the hash function used by the server's connection management. This can be done by an attacker who knows how the hash function works and can predict or control the Source Connection ID values. Once the colliding IDs are sent, the server will experience a significant increase in CPU load as it processes the collisions.

Remediation

Users can update to picoquic version 1.1.31.0 or later, where this vulnerability has been fixed.