New analysis has discovered that the CONTINUATION body within the HTTP/2 protocol may be exploited to conduct denial-of-service (DoS) assaults.
The method has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the problem to the CERT Coordination Heart (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations don’t correctly restrict or sanitize the quantity of CONTINUATION frames despatched inside a single stream,” CERT/CC stated in an advisory on April 3, 2024.
“An attacker that may ship packets to a goal server can ship a stream of CONTINUATION frames that won’t be appended to the header listing in reminiscence however will nonetheless be processed and decoded by the server or shall be appended to the header listing, inflicting an out of reminiscence (OOM) crash.”
Like in HTTP/1, HTTP/2 makes use of header fields inside requests and responses. These header fields can comprise header lists, which in flip, are serialized and damaged into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADER or what’s referred to as CONTINUATION frames.
“The CONTINUATION body (sort=0x9) is used to proceed a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any variety of CONTINUATION frames may be despatched, so long as the previous body is on the identical stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION body with out the END_HEADERS flag set.”
The final body containing headers could have the END_HEADERS flag set, which alerts the distant endpoint that it is the finish of the header block.
Based on Nowotarski, CONTINUATION Flood is a category of vulnerabilities inside a number of HTTP/2 protocol implementations that pose a extra extreme menace in comparison with the Speedy Reset assault that got here to gentle in October 2023.
“A single machine (and in sure situations, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with penalties starting from server crashes to substantial efficiency degradation,” the researcher stated. “Remarkably, requests that represent an assault should not seen in HTTP entry logs.”
The vulnerability, at its core, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the best way for a DoS situation.
In different phrases, an attacker can provoke a brand new HTTP/2 stream towards a goal server utilizing a weak implementation and ship HEADERS and CONTINUATION frames with no set END_HEADERS flag, making a unending stream of headers that the HTTP/2 server would wish to parse and retailer in reminiscence.
Whereas the precise end result varies relying on the implementation, impacts vary from immediate crash after sending a few HTTP/2 frames and out of reminiscence crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions a number of security points which will come up if CONTINUATION frames should not dealt with appropriately,” Nowotarski stated.
“On the similar time, it doesn’t point out a particular case by which CONTINUATION frames are despatched with out the ultimate END_HEADERS flag which might have repercussions on affected servers.”
The difficulty impacts a number of initiatives corresponding to amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Customers are really useful to improve affected software program to the most recent model to mitigate potential threats. Within the absence of a repair, it is suggested to contemplate quickly disabling HTTP/2 on the server.
