AI Security AI安全 11h ago Updated 4h ago 更新于 4小时前 46

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers XQUIC中未修补的XRING漏洞允许远程客户端导致HTTP/3服务器崩溃

A critical unpatched vulnerability named XRING exists in Alibaba's open-source XQUIC library, allowing remote clients to crash HTTP/3 servers via a simple integer underflow. The flaw resides in the QPACK dynamic table resizing logic, where a miscalculation causes a memory copy length to wrap around to a near-maximum value, triggering a buffer overflow. The attack requires only ~260 bytes of standard, compliant QPACK traffic and does not require authentication or malformed packets, affecting all 阿里开源库XQUIC存在名为XRING的未修补漏洞,允许远程客户端通过合法QPACK流量导致HTTP/3服务器崩溃。 漏洞根源为环形缓冲区扩容时的整数下溢错误,仅需约260字节标准流量即可触发,无需登录或畸形包。 所有XQUIC版本(至v1.9.4)均受影响,包括Tengine及淘宝、支付宝等后端服务,目前无官方补丁或CVE编号。 攻击者可通过特定布局驱动表增长触发错误分支,该缺陷自2022年首次发布以来一直存在且未被修复。 在修复前,运维人员可将`SETTINGS_QPACK_MAX_TABLE_CAPACITY`设为0以禁用动态表,或直接关闭HTTP/3支持。

65
Hot 热度
60
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • A critical unpatched vulnerability named XRING exists in Alibaba's open-source XQUIC library, allowing remote clients to crash HTTP/3 servers via a simple integer underflow.
  • The flaw resides in the QPACK dynamic table resizing logic, where a miscalculation causes a memory copy length to wrap around to a near-maximum value, triggering a buffer overflow.
  • The attack requires only ~260 bytes of standard, compliant QPACK traffic and does not require authentication or malformed packets, affecting all XQUIC versions up to v1.9.4.
  • Immediate mitigation involves setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 to disable the dynamic table or disabling HTTP/3 support entirely until a patch is released.

Why It Matters

This vulnerability highlights the persistent fragility of header compression protocols like QPACK and HPACK, demonstrating how minor arithmetic errors in buffer management can lead to severe denial-of-service conditions. For infrastructure providers and developers using XQUIC or similar libraries, the lack of an immediate patch underscores the critical need for proactive defensive configurations and rigorous code auditing in network stack implementations.

Technical Details

  • Root Cause: An integer underflow occurs in the ring buffer copy logic during QPACK dynamic table resizing. When copying data from an old buffer to a newly allocated larger buffer, the code incorrectly calculates the size of the tail data against the new buffer's capacity instead of the old one's.
  • Exploitation Vector: The attacker drives the table into a specific wrapped layout (e.g., growing from 64 to 65 bytes) to trigger the faulty branch. The resulting overcount leads to a subtraction that underflows an unsigned size_t, causing a massive memory copy operation.
  • Impact: The excessive memory copy results in an out-of-bounds write, crashing the server process. In some environments (e.g., Ubuntu with _FORTIFY_SOURCE=2), glibc detects the bad length and terminates the process immediately.
  • Scope: All releases of XQUIC through v1.9.4 are vulnerable. The issue affects any server embedding XQUIC with default QPACK settings, including Alibaba's Tengine web server used by major platforms like Taobao and Alipay.
  • Disclosure Status: As of July 10, there is no fixed release or assigned CVE. The researcher, Sébastien Féry from FoxIO, disclosed the issue after multiple failed attempts to contact Alibaba's security team.

Industry Insight

  • Immediate Action Required: Organizations running HTTP/3 services on XQUIC must implement the workaround of disabling the QPACK dynamic table (SETTINGS_QPACK_MAX_TABLE_CAPACITY = 0) or disabling HTTP/3 until a patch is available.
  • Protocol Hardening: This incident reinforces the need for strict bounds checking and overflow protection in all header compression implementations, particularly given the history of similar bugs in HPACK (HTTP/2 Bomb) and other QUIC stacks.
  • Supply Chain Risk: Since XQUIC is open-source, the vulnerability extends beyond Alibaba to any third-party service integrating the library. Developers should audit their dependencies for similar arithmetic vulnerabilities in memory management routines.

TL;DR

  • 阿里开源库XQUIC存在名为XRING的未修补漏洞,允许远程客户端通过合法QPACK流量导致HTTP/3服务器崩溃。
  • 漏洞根源为环形缓冲区扩容时的整数下溢错误,仅需约260字节标准流量即可触发,无需登录或畸形包。
  • 所有XQUIC版本(至v1.9.4)均受影响,包括Tengine及淘宝、支付宝等后端服务,目前无官方补丁或CVE编号。
  • 攻击者可通过特定布局驱动表增长触发错误分支,该缺陷自2022年首次发布以来一直存在且未被修复。
  • 在修复前,运维人员可将SETTINGS_QPACK_MAX_TABLE_CAPACITY设为0以禁用动态表,或直接关闭HTTP/3支持。

为什么值得看

该漏洞揭示了HTTP/3/QPACK实现中基础内存管理的严重缺陷,证明了即使完全合规的流量也能导致服务拒绝,对依赖XQUIC的基础设施构成直接威胁。它反映了开源项目安全响应机制的滞后风险,提醒从业者必须关注底层协议栈的边界条件处理及临时缓解措施。

技术解析

  • 漏洞机理:XQUIC使用环形缓冲区存储QPACK动态表。当客户端请求扩容时,代码在处理数据复制的四种情况之一时,错误地基于新缓冲区容量而非旧缓冲区计算剩余尾部数据大小,导致严重的计数溢出。
  • 触发条件:利用无符号整数类型(size_t)的特性,错误的长度计算导致减法运算发生下溢,产生接近最大值的拷贝长度,从而引发越界内存写入并触发glibc的_FORTIFY_SOURCE=2保护机制导致进程终止。
  • 攻击向量:无需恶意载荷或身份验证,仅需构造特定的QPACK编码器流请求(如将64字节表扩容至65字节并触发环绕布局),即可稳定复现崩溃。
  • 影响范围:涉及所有嵌入XQUIC并启用默认QPACK设置的HTTP/3服务器,包括阿里巴巴云CDN及Tengine Web服务器。

行业启示

  • 协议栈安全性:HTTP/2/3头部压缩算法(HPACK/QPACK)的实现复杂度增加了内存安全漏洞的风险,开发者需加强对边界条件和整数溢出的静态分析与测试。
  • 开源维护责任:FoxIO多次尝试联系阿里安全团队未果后公开漏洞,凸显了开源项目安全响应流程的重要性,建议企业建立更严格的外部漏洞披露监控机制。
  • 即时缓解策略:在补丁发布前,通过配置禁用QPACK动态表或降级至HTTP/2是有效的短期防御手段,运维团队应立即评估受影响服务的暴露面。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全