New research they discovered that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacksnot to be confused with the third version of the same protocol which is a completely different type of thing.
What are the issues that cause vulnerabilities and possible DoS attacks of the HTTP/2 protocol
The technique was named HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream“, has declared CERT/CC in an information note dated 3 April 2024.
CERT/CC subsequently added that “An attacker who can send packets to a target server can send a series of CONTINUATION frames which will not be added to the header list in memory, but will still be processed and decoded by the server or will be added to the header listcausing a crash due to out of memory (OOM)“.
As in HTTP/1, also HTTP/2 uses header fields within requests and responses; these fields header can include lists of headers, which in turn are serialized and divided into header blocks.
The header blocks are then split into block fragments and transmitted within HEADER or what is called CONTINUATION frame.
“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments“, Yes law in the documentation for RFC 7540, and then adds “Any number of CONTINUATION frames can be sent, as long as the previous frame is on the same stream and is a frame HEADERS, PUSH_PROMISE or CONTINUATION without the END_HEADERS flag set“.
The last frame containing the headers will have the END_HEADERS flag set, which signals to the remote endpoint that it is the end of the header block.
According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several implementations of the HTTP/2 protocol which poses a more serious threat than the attack Rapid Reset emerged in October 2023.
“A single machine (and in some cases, a single TCP connection or a handful of frames) has the potential to disrupt server accessibility, with consequences ranging from server crashes to substantial performance degradation“, has said researcher. “Remarkably, requests that constitute an attack are not visible in HTTP access logs“.
Vulnerability, at its core, concerns the incorrect management of HEADERS and multiple CONTINUATION frames which pave the way for a DoS condition.
In other words, an attacker can start a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADER and CONTINUATION frames without setting the END_HEADERS flagcreating an endless stream of headers that the HTTP/2 server would have to parse and store in memory.
While the exact outcome varies depending on the implementation, impacts range from immediate crash after sending a couple of HTTP/2 frames and from freezing due to lack of memory to CPU exhaustionthus affecting the accessibility of the server.
“RFC 9113 […] mentions multiple security issues that can arise if CONTINUATION frames are not handled properly“said Nowotarski, who later added: “At the same time, it does not mention a specific case where CONTINUATION frames are sent without the final END_HEADERS flag which can impact affected servers“.
The problem affects several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 And CVE-2024-30255), Golang (CVE-2023-45288), the Rust h2 crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983) and Tempesta FW (CVE-2024-2758).
Users are advised to update affected software to the latest version to mitigate potential threats, therefore, In the absence of a solution, we recommend that you consider temporarily disabling HTTP/2 on the server.
#HTTP2 #vulnerability #exposes #DOS #attacks
