Cloudflare quiche Infinite Loop Vulnerability via RETIRE_CONNECTION_ID Frames

A vulnerability in Cloudflare quiche versions 0.15.0 prior to 0.24.5 allows for the creation of an infinite loop by sending packets that include RETIRE_CONNECTION_ID frames. This issue arises after the QUIC handshake, when a local endpoint manages Connection IDs used by the remote peer. An unauthenticated remote attacker can exploit this by completing a handshake and then sending frames that trigger a Connection ID retirement. When the victim tries to retire a Connection ID through a packet, it cannot retire the same ID it is using to send the packet. However, in cases like path migration, different active Connection IDs can interfere with each other. This exploitation takes advantage of a quiche feature designed to manage Connection ID retirement across paths, causing an infinite loop.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing a denial-of-service condition by disrupting normal processing and potentially exhausting resources.

Remediation

Users can upgrade to Cloudflare quiche version 0.24.5 or later to address this vulnerability.