LiteSpeed Blog / Products / LiteSpeed Web ADC / LSQUIC Security Update

LSQUIC Security Update

February 18th, 2025 by Featured Posts , LiteSpeed Web ADC , LiteSpeed Web Server , OpenLiteSpeed , Security 0 Comments

We have a security update for LiteSpeed’s QUIC and HTTP/3 Library (LSQUIC). Recently we were made aware of a vulnerability affecting several QUIC implementations, including LSQUIC. We patched this vulnerability in v4.2.0.

Please update to the latest version of LSQUIC.

This Hash-based Denial-of-Service vulnerability, reported by Paul Bottinelli, Cryptography and Security Consultant at NCC Group, has been assigned CVE-2025-24947.

Impact

Several QUIC implementations, including LSQUIC, use a hash table to store Secure Connection IDs (or, SCIDs) as indices to connection data. If the hash function is weak, an attacker can trigger a denial-of-service attack by initiating connections with colliding SCIDs, causing significant slow downs.

LSQUIC, while technically vulnerable to this type of attack, has a rate limiting feature. If there are too many INIT packets for new connections, a Retry packet will be triggered. This means, LSQUIC doesn’t put the client-generated SCID in the hash. As such, in a real-world deployment, this vulnerability is not easy to exploit with LSQUIC.

Previously, we used XXH32(), which is prone to hash collisions, to generate a 32-bit hash key. With v4.2.0, LSQUIC has switched to rapidhash, which allows us to generate a stronger random seed, and produces a 64-bit hash key.

Our test shows that it addresses the hash collision issue well. Here are some examples:

without seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> F3C569EBDE612455
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> F3C569EBDE612455
with seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> 3173D06C62EB64E2
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> EF06763606005C05
without seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> 56B71185739E534A
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> 56B71185739E534A
with seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> D18323CAAFD14A5A
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> 190C4F2674528BE1
without seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> 9183B84F3AE05847
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> 9183B84F3AE05847
with seed 
211C6C858BB29CDD408F1EBDAA43A980CE016B71 -> D05A92D1069111F3
211CEC85DBB29CDE418F1EBDAA43A980CF214B71 -> 3150BF22FFAA28E4

Actions

We recommend that those using the QUIC and HTTP/3 library upgrade to LSQUIC version 4.2.0 or higher to patch this vulnerability.

Those who are using LiteSpeed server products, including LiteSpeed Web Server (LSWS), LiteSpeed Web ADC (LSADC), and OpenLiteSpeed (OLS), should upgrade to the latest versions of these products.

Timeline

  • January 10, 2025: We were alerted to the issue.
  • January 15, 2025: Patch was added to our internal repo to be included in all subsequent builds of our commercial server products
  • February 18, 2025: Released LSWS v 6.3.2, LSADC v3.3.0, and OLS v1.8.3
  • February 18, 2025: Released LSQUIC v4.2.0 to the GitHub repository

Conclusion

We thank Paul Bottinelli for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LSQUIC library or your LiteSpeed server products up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.

Tags:
Categories:Featured Posts , LiteSpeed Web ADC , LiteSpeed Web Server , OpenLiteSpeed , Security

Related Posts

Comments