CVE-2025-24356
Published: 27 January 2025
Description
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target.
Security Summary
CVE-2025-24356 affects fastd, a VPN daemon that tunnels IP packets and Ethernet frames over UDP. The vulnerability stems from the "fast reconnect" feature, which responds to a data packet from an unknown IP address/port combination by assuming a peer has changed addresses and sending a handshake packet to reestablish the connection. A minimal 1-byte UDP packet containing only the fastd packet type header triggers a much larger ~150-byte UDP payload handshake response, resulting in an amplification factor of roughly 12-13 when including IPv4 and UDP headers. Versions of fastd prior to v23 are vulnerable.
Attackers can exploit this remotely over the network with no privileges or user interaction required by sending spoofed data packets to internet-exposed fastd instances. The targeted fastd server will reflect amplified UDP traffic to the spoofed source IP, enabling Distributed Denial of Service (DDoS) attacks that leverage the amplification for volumetric flooding.
The vulnerability is addressed in fastd v23 through multiple commits on the project's GitHub repository, including changes to prevent the amplification response. Security practitioners should upgrade to v23 or later to mitigate the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables reflection amplification by responding to small spoofed UDP packets with larger handshake responses, directly facilitating volumetric DDoS attacks via T1498.002.