New analysis has discovered that the CONTINUATION body within the HTTP/2 protocol will be exploited to conduct denial-of-service (DoS) assaults.
The approach has been codenamed HTTP/2 CONTINUATION Flood by safety researcher Bartek Nowotarski, who reported the problem to the CERT Coordination Heart (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC stated in an advisory on April 3, 2024.
“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”
Like in HTTP/1, HTTP/2 makes use of header fields inside requests and responses. These header fields can comprise header lists, which in flip, are serialized and damaged into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADERS or what’s referred to as CONTINUATION frames.
“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.
“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION body with out the END_HEADERS flag set.”
The final body containing headers can have the END_HEADERS flag set, which alerts the distant endpoint that it is the finish of the header block.
In keeping with Nowotarski, CONTINUATION Flood is a category of vulnerabilities inside a number of HTTP/2 protocol implementations that pose a extra extreme menace in comparison with the Speedy Reset assault that got here to mild in October 2023.
“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher stated. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”
The vulnerability, at its core, has to do with incorrect dealing with of HEADERS and a number of CONTINUATION frames that pave the way in which for a DoS situation.
In different phrases, an attacker can provoke a brand new HTTP/2 stream towards a goal server utilizing a weak implementation and ship HEADERS and CONTINUATION frames with no set END_HEADERS flag, making a endless stream of headers that the HTTP/2 server would wish to parse and retailer in reminiscence.
Whereas the precise consequence varies relying on the implementation, impacts vary from on the spot crash after sending a few HTTP/2 frames and out of reminiscence crash to CPU exhaustion, thereby affecting server availability.
“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski stated.
“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”
The difficulty impacts a number of initiatives corresponding to amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Site visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Customers are really useful to improve affected software program to the newest model to mitigate potential threats. Within the absence of a repair, it is suggested to contemplate briefly disabling HTTP/2 on the server.
