A vulnerability in XQUIC, Alibaba’s QUIC and HTTP/3 library, has been identified by FoxIO researcher Sébastien Féry, allowing remote clients to crash servers using normal traffic. Known as XRING, this flaw requires no authentication or malformed packets, making it a significant threat to any server deploying the library.
Widespread Impact on Servers
XQUIC, a widely used open-source library, is embedded in various servers, including Alibaba’s Tengine, which supports major sites like Taobao and Alipay. The flaw affects every version through v1.9.4, with no patch available as of July 10. Until a fix is released, operators are advised to disable QPACK’s dynamic table by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or to cease HTTP/3 support altogether.
Technical Details of the Vulnerability
The XRING flaw resides in the way HTTP/3 compresses headers with QPACK, a system designed to reduce redundant header transmission. XQUIC utilizes a ring buffer to store data, but an error occurs when resizing this buffer. This results in an incorrect calculation of the memory copy length, potentially leading to a buffer overflow. Although the bug was caught by security measures in Ubuntu’s glibc, the risk of memory corruption remains.
The vulnerability has been present since XQUIC’s initial public release in January 2022, and a proof of concept is already available. The flaw is part of a broader trend of remote crashes in HTTP/2 and HTTP/3 technologies, highlighting the need for robust security in these protocols.
Responses and Future Outlook
Despite multiple disclosure attempts by FoxIO, Alibaba had not responded by the time the information was made public. The security industry continues to monitor for potential exploitation in the wild. The Hacker News is seeking clarification from Alibaba regarding any forthcoming fixes or CVEs and whether the flaw has been actively exploited.
This incident underscores the critical nature of addressing vulnerabilities in widely used open-source software. As the industry awaits a resolution, it serves as a reminder for organizations to remain vigilant and proactive in their cybersecurity measures.
