Saturday , June 15 2024
http/2

New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

The HTTP/2 protocol has a vulnerability in the CONTINUATION frame that allows for denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski named this technique HTTP/2 CONTINUATION Flood and reported it to the CERT Coordination Center (CERT/CC) on January 25, 2024.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.

ASUS warn serious security vulnerability on 7 routers

ASUS released a new firmware update to fix a vulnerability affecting seven router models, which could be exploited by remote...
Read More
ASUS warn serious security vulnerability on 7 routers

AWS Announced New Malware Detection Tool For S3 Buckets

AWS announced new security features at its re:Inforce conference, such as identity and malware protection services. The cloud giant added...
Read More
AWS Announced New Malware Detection Tool For S3 Buckets

150,000 phones registered under one IMEI number in Bangladesh

A smartphone's IMEI (which stands for International Mobile Equipment Identity) is a unique identifier for each device, similar to a...
Read More
150,000 phones registered under one IMEI number in Bangladesh

CISA Releases Twenty Industrial Control Systems Advisories

CISA released 20 advisories about Industrial Control Systems (ICS) on June 13, 2024. These advisories give important information about security...
Read More
CISA Releases Twenty Industrial Control Systems Advisories

Current web vulnerabilities in Bangladesh across vendor product line

On a report titled "Surge on Web defacement and web application related vulnerabilities targeting Bangladesh" BGD e-GOV CIRT said, web...
Read More
Current web vulnerabilities in Bangladesh across vendor product line

Criminals impersonating CISA’s employees in phone calls

CISA warned that criminals are pretending to be its employees in phone calls in order to trick people into sending...
Read More
Criminals impersonating CISA’s employees in phone calls

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA added 2 new vulnerabilities to its catalog of known exploited vulnerabilities, because they have proof that these vulnerabilities are...
Read More
CISA Adds Two Known Exploited Vulnerabilities to Catalog

Microsoft Tuesday fixes 51 flaws, 18 RCEs June 2024 Patch

Microsoft has released updates for 49 security vulnerabilities in its Patch Tuesday update for June. One of the fixes addresses...
Read More
Microsoft Tuesday fixes 51 flaws, 18 RCEs June 2024 Patch

Hackers breached 20,000 FortiGate systems worldwide: MIVD

The Dutch military security service MIVD recently revealed that a cyber espionage campaign, which was initially mentioned in February, managed...
Read More
Hackers breached 20,000 FortiGate systems worldwide: MIVD

Riskiest Connected Devices in 2024: Forescout Report

By 2028, there will be over 25 billion Internet of Things (IoT) devices. Attackers are increasingly targeting various devices, operating systems,...
Read More
Riskiest Connected Devices in 2024: Forescout Report

“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”

Just like in HTTP/1, HTTP/2 also utilizes header fields in requests and responses. These header fields can form header lists, which are then serialized and divided into header blocks. These header blocks are further segmented into block fragments and transmitted within HEADER frames or CONTINUATION frames.

“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”

The END_HEADERS flag set in the last frame signals the remote endpoint that it’s the end of the header block.

Nowotarski states that the CONTINUATION Flood is a more serious threat compared to the Rapid Reset attack that was revealed in October 2023.

“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”

The vulnerability is related to how HEADERS and multiple CONTINUATION frames are handled, which can lead to a DoS condition. Essentially, an attacker can create a never-ending stream of headers by sending HEADERS and CONTINUATION frames without the END_HEADERS flag, causing the HTTP/2 server to continuously parse and store them in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”

The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

Upgrade affected software to the latest version for protection against potential threats. If no solution is available, consider temporarily disabling HTTP/2 on the server.

Source: CERT coordination center, thehackernews

Check Also

Singapore-Based Absolute Telecom Allegedly Hit by Cyberattack

GhostR hacker claimed to hack Absolute Telecom PTE Ltd, a Singapore-based telecom company and stole …

Leave a Reply

Your email address will not be published. Required fields are marked *