LSQUIC Hash Collision Vulnerability Leading to Denial-of-Service

A hash collision vulnerability has been identified in LSQUIC (LiteSpeed QUIC) versions prior to 4.2.0. This vulnerability allows remote attackers to cause a significant CPU load on the server, effectively creating a Hash Denial-of-Service (DoS) attack. The issue arises from the use of the XXH32 hash function, which is susceptible to collisions. Attackers can exploit this by initiating connections with colliding Source Connection IDs (SCIDs), taking advantage of the hash table mechanism used to manage connections.

Impact

Exploitation of this vulnerability leads to a substantial increase in CPU usage on the server, causing slowdowns and potential service disruptions. Experimental results indicated a 300-fold slowdown when 10,000 parallel connections were initiated with colliding SCIDs.

Reproduction

The vulnerability can be reproduced by sending a large number of connection requests to a server running an affected version of LSQUIC, using Source Connection IDs that are deliberately chosen to collide under the XXH32 hash function. This can be done using a custom script or tool that automates the process of generating colliding SCIDs and sending them to the server.

Remediation

Users can upgrade to LSQUIC version 4.2.0 or later, where this vulnerability has been addressed.