Reported

March 15, 2024

Issued

May 20, 2024 (last modified: May 21, 2024)

Package

tls-listener (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2024-28854
• GHSA-2qph-qpvm-2qf7

References

• https://github.com/tmccombs/tls-listener/security/advisories/GHSA-2qph-qpvm-2qf7

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.10.0

Affected Functions

Version

tls_listener::TlsListener::new

• <0.10.0

Description

tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 TcpStreams a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using TlsListener::new() vulnerable to a slow-loris DoS attack. This impacts any publicly accessible service using the default configuration of tls-listener in versions prior to 0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this by passing a large value, such as usize::MAX as the parameter to Builder::max_handshakes.

Advisory available under CC0-1.0 license.