InfoSecBulletin Cybersecurity for mankind
The HTTP/2 protocol has a vulnerability in the CONTINUATION frame that allows for denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski named this technique HTTP/2 CONTINUATION Flood and reported it to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.
CVE-2024-51503
Trend Micro released updates for Deep Security Agent RCE
Apple Releases Patch for two Actively Exploited Zero-Day
Maxar Space Data Leak, Company admit, Investigation ongoing!
GitHub CLI Vulnerability Could Allow RCE
“Sarcoma” ransomware group
Hacker to disclose “Popular Life Insurance” 36 GB of stolen data
BugHunt 2024: A Milestone Cyber security Competition held at Dhaka
TP-Link DHCP Vulnerability Allow Attackers Takeover Routers Remotely
WSJ reports
T-Mobile hacked in massive breach of telecom networks
Palo Alto Networks Confirms critical RCE zero-day actively exploited
CISA, FBI Warns
Hacker compromised multiple teleco network at US
“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”
Just like in HTTP/1, HTTP/2 also utilizes header fields in requests and responses. These header fields can form header lists, which are then serialized and divided into header blocks. These header blocks are further segmented into block fragments and transmitted within HEADER frames or CONTINUATION frames.
“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”
The END_HEADERS flag set in the last frame signals the remote endpoint that it’s the end of the header block.
Nowotarski states that the CONTINUATION Flood is a more serious threat compared to the Rapid Reset attack that was revealed in October 2023.
“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”
The vulnerability is related to how HEADERS and multiple CONTINUATION frames are handled, which can lead to a DoS condition. Essentially, an attacker can create a never-ending stream of headers by sending HEADERS and CONTINUATION frames without the END_HEADERS flag, causing the HTTP/2 server to continuously parse and store them in memory.
While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.
“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”
The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Upgrade affected software to the latest version for protection against potential threats. If no solution is available, consider temporarily disabling HTTP/2 on the server.
Source: CERT coordination center, thehackernews
