New research has discovered that the CONTINUATION frame in the HTTP/2 protocol can be exploited to carry out denial-of-provider (DoS) assaults.
The procedure has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who noted the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“A lot of HTTP/2 implementations do not adequately limit or sanitize the amount of money of CONTINUATION frames despatched in a single stream,” CERT/CC stated in an advisory on April 3, 2024.
“An attacker that can mail packets to a concentrate on server can deliver a stream of CONTINUATION frames that will not be appended to the header record in memory but will even now be processed and decoded by the server or will be appended to the header record, producing an out of memory (OOM) crash.”
Like in HTTP/1, HTTP/2 uses header fields in just requests and responses. These header fields can comprise header lists, which in switch, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted in just HEADER or what’s identified as CONTINUATION frames.
“The CONTINUATION frame (sort=0x9) is utilized to keep on a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any selection of CONTINUATION frames can be despatched, as extended as the previous frame is on the exact same stream and is a HEADERS, Force_Guarantee, or CONTINUATION body without having the Finish_HEADERS flag set.”
The very last body made up of headers will have the End_HEADERS flag set, which alerts the remote endpoint that it truly is the stop of the header block.
In accordance to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within many HTTP/2 protocol implementations that pose a extra significant risk compared to the Fast Reset attack that arrived to light in October 2023.
“A one equipment (and in certain situations, a mere one TCP relationship or a handful of frames) has the likely to disrupt server availability, with consequences ranging from server crashes to considerable effectiveness degradation,” the researcher claimed. “Remarkably, requests that represent an attack are not visible in HTTP access logs.”
The vulnerability, at its main, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the way for a DoS issue.
In other terms, an attacker can initiate a new HTTP/2 stream versus a focus on server using a susceptible implementation and mail HEADERS and CONTINUATION frames with no set Finish_HEADERS flag, making a under no circumstances-ending stream of headers that the HTTP/2 server would need to parse and store in memory.
Though the correct result differs based on the implementation, impacts array from quick crash just after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thus influencing server availability.
“RFC 9113 […] mentions several security issues that may perhaps occur if CONTINUATION frames are not taken care of appropriately,” Nowotarski said.
“At the exact same time, it does not point out a distinct case in which CONTINUATION frames are sent with no the closing Stop_HEADERS flag which can have repercussions on affected servers.”
The issue impacts many jobs this sort of as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Website traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
End users are encouraged to up grade afflicted program to the most current edition to mitigate opportunity threats. In the absence of a fix, it really is suggested to consider temporarily disabling HTTP/2 on the server.
Uncovered this write-up fascinating? Adhere to us on Twitter and LinkedIn to go through extra exceptional written content we write-up.
Some parts of this article are sourced from:
thehackernews.com