Covert Channel Vulnerability in QUIC Protocol Affecting RFC 9000
CVE-2023-50923

Currently unrated

Key Information:

Vendor: IETF
Status: QUIC Protocol
Vendor: CVE Published:; 21 February 2024

Summary

The QUIC protocol, as detailed in RFC 9000, contains a flaw related to the Latency Spin Bit that could allow remote attackers to exploit this vulnerability. Specifically, when the Latency Spin Bit feature is disabled, the lack of strict constraints on its bit value can enable the construction of covert channels. This loophole could potentially facilitate the unauthorized transmission of data concealed within normal network traffic, raising significant concerns for the security of online communication.

References

https://www.rfc-editor.org/rfc/rfc9000.html

https://ieeexplore.ieee.org/document/10427406

https://arrow.tudublin.ie/nsdcon/2/

Timeline

Vulnerability published
Feb 21, 2024