TrustTunnel has `client_random_prefix` rule bypass via fragmented or partial TLS ClientHello
Description
TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In tls_listener.rs, TlsListener::listen() peeks 1024 bytes and calls extract_client_random(...). If parse_tls_plaintext fails (for example, a fragmented/partial ClientHello split across TCP writes), extract_client_random returns None. In rules.rs, RulesEngine::evaluate only evaluates client_random_prefix when client_random is Some(...). As a result, when extraction fails (client_random == None), any rule that relies on client_random_prefix matching is skipped and evaluation falls through to later rules. As an important semantics note: client_random_prefix is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with client_random_prefix = ... triggers its action only when the prefix matches (and the field is available to evaluate). Non-matches (or None) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2v0.9.100, v0.9.102, v0.9.105, …+ 1 more
- (no CPE)range: v0.9.100, v0.9.102, v0.9.105, …
- (no CPE)range: <0.9.115
Patches
Vulnerability mechanics
References
2- github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6mitrex_refsource_MISC
- github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.