New analysis has discovered that the CONTINUATION body within the HTTP/2 protocol will be exploited to conduct denial-of-service (DoS) assaults.
The approach has been codenamed HTTP/2 CONTINUATION Flood by safety researcher Bartek Nowotarski, who reported the difficulty to the CERT Coordination Middle (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations don’t correctly restrict or sanitize the quantity of CONTINUATION frames despatched inside a single stream,” CERT/CC mentioned in an advisory on April 3, 2024.
“An attacker that may ship packets to a goal server can ship a stream of CONTINUATION frames that won’t be appended to the header listing in reminiscence however will nonetheless be processed and decoded by the server or can be appended to the header listing, inflicting an out of reminiscence (OOM) crash.”
Like in HTTP/1, HTTP/2 makes use of header fields inside requests and responses. These header fields can comprise header lists, which in flip, are serialized and damaged into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADER or what’s referred to as CONTINUATION frames.
“The CONTINUATION body (sort=0x9) is used to proceed a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any variety of CONTINUATION frames will be despatched, so long as the previous body is on the identical stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION body with out the END_HEADERS flag set.”
The final body containing headers could have the END_HEADERS flag set, which indicators the distant endpoint that it is the finish of the header block.
In keeping with Nowotarski, CONTINUATION Flood is a category of vulnerabilities inside a number of HTTP/2 protocol implementations that pose a extra extreme risk in comparison with the Speedy Reset assault that got here to mild in October 2023.
“A single machine (and in sure cases, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with penalties starting from server crashes to substantial efficiency degradation,” the researcher mentioned. “Remarkably, requests that represent an assault usually are not seen in HTTP entry logs.”
The vulnerability, at its core, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the best way for a DoS situation.
In different phrases, an attacker can provoke a brand new HTTP/2 stream towards a goal server utilizing a susceptible implementation and ship HEADERS and CONTINUATION frames with no set END_HEADERS flag, making a unending stream of headers that the HTTP/2 server would wish to parse and retailer in reminiscence.
Whereas the precise consequence varies relying on the implementation, impacts vary from immediate crash after sending a few HTTP/2 frames and out of reminiscence crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions a number of safety points which will come up if CONTINUATION frames usually are not dealt with accurately,” Nowotarski mentioned.
“On the similar time, it doesn’t point out a particular case during which CONTINUATION frames are despatched with out the ultimate END_HEADERS flag which may have repercussions on affected servers.”
The difficulty impacts a number of tasks similar to amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Customers are really useful to improve affected software program to the newest model to mitigate potential threats. Within the absence of a repair, it is suggested to think about quickly disabling HTTP/2 on the server.
