WARNING: MULTIPLE VULNERABILITIES IN HTTP/2 PROTOCOL IMPLEMENTATION DISRUPTS SERVER AVAILABILITY IN AN ATTACK KNOWN AS CONTINUATION FLOOD. PATCH IMMEDIATELY!
CVE-2024-27983
CVSS 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
CVE-2024-27919
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-2758
Estimated CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-2653
CVSS 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
CVE-2023-45288
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVE-2024-28182
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVE-2024-27316
Estimated CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-31309
Estimated CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-30255
CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVE-2024-24549
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Where it is marked “estimated”, the Centre for Cybersecurity Belgium the CVSS score using the National Vulnerability Database’s online calculator, using the information available at the time of the vulnerabilities
Sources
Risks
Different implementations of HTTP/2 are vulnerable to what is known as HTTP/2 CONTINUATION Flood. In this type of attack, an attacker can leverage a diversity of existing, vulnerable implementations to disrupt server availability, with consequences ranging from instant server crashes to Out of Memory crashes, to CPU exhaustion affecting servers’ performance. Some vendors reported limited impact on integrity as well.
The particularity of HTTP/2 CONTINUATION Flood is that in certain instances, a single machine – or a single TCP connection or even a handful of frames – are sufficient to cause a denial of service condition. In addition, requests that constitute an attack are not visible to admins in HTTP access logs. Media reporting assesses this attack type could be more severe than HTTP/2 Rapid Reset, a distributed denial of service (DDoS) attack considered up until now to be the most powerful hyper-volumetric attack[1].
While there is no report as of yet of active exploitation, threat actors could start exploiting one or more of these vulnerabilities. The potential is high: Cloudflare Radar estimates HTTP/2 traffic accounts for around 60% of all human HTTP traffic[2].
[1] For a full report on HTTP/2 Rapid Reset, you may consult the article “HTTP/2 Rapid Reset: deconstructing the record-breaking attack” written by Lucas Pardue and Julien Desgats, available at https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack
[2] See Cloudflare Radar, available at https://radar.cloudflare.com/adoption-and-usage
Description
For all the vulnerabilities listed below, the issue lies in the implementation of HTTP/2.
First, many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. The absence of frame checks allows an attacker to send packets to a target server in a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.
The implementation will continue to receive frames as long as the END_HEADERS flag is not set during these communications. An attacker can initialize a connection to a server with typical HTTP/2 frames and then receive initial frames from the server. The attacker can then begin an HTTP request with no set END_HEADERS flags. This can allow an attacker to send a stream of CONTINUATION frames to the target server, which can result in an out-of-memory crash, enabling an attacker to launch a denial of service (DoS) attack against a target server using a vulnerable implementation.
Additionally, an attacker can send HPACK Huffman encoded CONTINUATION frames to a target implementation. This can cause CPU resource exhaustion and result in a DoS as the CPU must decode every encoded frame that it receives.
CVE-2024-27983
An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
CVE-2024-27919
Envoy's oghttp codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.
CVE-2024-2758
Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.
CVE-2024-2653
amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
CVE-2023-45288
The Go packages net/http and net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
CVE-2024-28182
An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
CVE-2024-27316
HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be sent in a continuous stream by an attacker to an Apache Httpd implementation, which will not properly terminate the request early.
CVE-2024-31309
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
CVE-2024-30255
HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoys HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoys header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.
CVE-2024-24549
When processing an HTTP/2 request in Apache Tomcat, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. This improper input validation can lead to a denial of service condition.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Depending on the HTTP/2 implementation you use, it is recommended you apply patches made available by vendors as listed in the table in the section entitled “References” in this document.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
|
Source Name |
Source link |
|
Node.js HTTP/2 server |
|
|
Envoy http/2 codec |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r and https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm |
|
Tempesta FW |
https://github.com/tempesta-tech/tempesta/security/advisories/GHSA-3xwj-5ch3-q9p4 |
|
amphp/http-client |
https://github.com/amphp/http-client/security/advisories/GHSA-w8gf-g2vq-j2f4 |
|
Go |
|
|
nghttp2 |
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q |
|
Apache HTTP Server |
|
|
Apache Traffic Server |
|
|
Apache Tomcat |