New analysis has discovered that the CONTINUATION body within the HTTP/2 protocol will be exploited to conduct denial-of-service (DoS) assaults.
The approach has been codenamed HTTP/2 CONTINUATION Flood by safety researcher Bartek Nowotarski, who reported the difficulty to the CERT Coordination Middle (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations don’t correctly restrict or sanitize the quantity of CONTINUATION frames despatched inside a single stream,” CERT/CC mentioned in an advisory on April 3, 2024.
“An attacker that may ship packets to a goal server can ship a stream of CONTINUATION frames that won’t be appended to the header record in reminiscence however will nonetheless be processed and decoded by the server or might be appended to the header record, inflicting an out of reminiscence (OOM) crash.”
Like in HTTP/1, HTTP/2 makes use of header fields inside requests and responses. These header fields can comprise header lists, which in flip, are serialized and damaged into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADERS or what’s referred to as CONTINUATION frames.
“The CONTINUATION body (sort=0x9) is used to proceed a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any variety of CONTINUATION frames will be despatched, so long as the previous body is on the identical stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION body with out the END_HEADERS flag set.”
The final body containing headers can have the END_HEADERS flag set, which alerts the distant endpoint that it is the finish of the header block.
Based on Nowotarski, CONTINUATION Flood is a category of vulnerabilities inside a number of HTTP/2 protocol implementations that pose a extra extreme menace in comparison with the Speedy Reset assault that got here to mild in October 2023.
“A single machine (and in sure situations, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with penalties starting from server crashes to substantial efficiency degradation,” the researcher mentioned. “Remarkably, requests that represent an assault will not be seen in HTTP entry logs.”
The vulnerability, at its core, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the best way for a DoS situation.
In different phrases, an attacker can provoke a brand new HTTP/2 stream towards a goal server utilizing a weak implementation and ship HEADERS and CONTINUATION frames with no set END_HEADERS flag, making a endless stream of headers that the HTTP/2 server would want to parse and retailer in reminiscence.
Whereas the precise final result varies relying on the implementation, impacts vary from on the spot crash after sending a few HTTP/2 frames and out of reminiscence crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions a number of safety points that will come up if CONTINUATION frames will not be dealt with appropriately,” Nowotarski mentioned.
“On the identical time, it doesn’t point out a particular case through which CONTINUATION frames are despatched with out the ultimate END_HEADERS flag which might have repercussions on affected servers.”
The difficulty impacts a number of initiatives equivalent to amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Site visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Customers are really helpful to improve affected software program to the most recent model to mitigate potential threats. Within the absence of a repair, it is suggested to think about briefly disabling HTTP/2 on the server.
