New analysis has discovered that the CONTINUATION body within the HTTP/2 protocol may be exploited to conduct denial-of-service (DoS) assaults.
The method has been codenamed HTTP/2 CONTINUATION Flood by safety researcher Bartek Nowotarski, who reported the difficulty to the CERT Coordination Middle (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations don’t correctly restrict or sanitize the quantity of CONTINUATION frames despatched inside a single stream,” CERT/CC stated in an advisory on April 3, 2024.
“An attacker that may ship packets to a goal server can ship a stream of CONTINUATION frames that won’t be appended to the header listing in reminiscence however will nonetheless be processed and decoded by the server or can be appended to the header listing, inflicting an out of reminiscence (OOM) crash.”
Like in HTTP/1, HTTP/2 makes use of header fields inside requests and responses. These header fields can comprise header lists, which in flip, are serialized and damaged into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADERS or what’s referred to as CONTINUATION frames.
“The CONTINUATION body (sort=0x9) is used to proceed a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any variety of CONTINUATION frames may be despatched, so long as the previous body is on the identical stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION body with out the END_HEADERS flag set.”
The final body containing headers can have the END_HEADERS flag set, which alerts the distant endpoint that it is the finish of the header block.
In response to Nowotarski, CONTINUATION Flood is a category of vulnerabilities inside a number of HTTP/2 protocol implementations that pose a extra extreme menace in comparison with the Fast Reset assault that got here to mild in October 2023.
“A single machine (and in sure situations, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with penalties starting from server crashes to substantial efficiency degradation,” the researcher stated. “Remarkably, requests that represent an assault are usually not seen in HTTP entry logs.”
The vulnerability, at its core, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the best way for a DoS situation.
In different phrases, an attacker can provoke a brand new HTTP/2 stream in opposition to a goal server utilizing a susceptible implementation and ship HEADERS and CONTINUATION frames with no set END_HEADERS flag, making a endless stream of headers that the HTTP/2 server would wish to parse and retailer in reminiscence.
Whereas the precise end result varies relying on the implementation, impacts vary from prompt crash after sending a few HTTP/2 frames and out of reminiscence crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions a number of safety points which will come up if CONTINUATION frames are usually not dealt with appropriately,” Nowotarski stated.
“On the identical time, it doesn’t point out a selected case wherein CONTINUATION frames are despatched with out the ultimate END_HEADERS flag which might have repercussions on affected servers.”
The problem impacts a number of tasks comparable to amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Site visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Customers are really helpful to improve affected software program to the most recent model to mitigate potential threats. Within the absence of a repair, it is suggested to think about quickly disabling HTTP/2 on the server.
