New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks

New investigation has located that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.

The strategy has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who documented the issue to the CERT Coordination Heart (CERT/CC) on January 25, 2024.

“Quite a few HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within just a one stream,” CERT/CC reported in an advisory on April 3, 2024.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“An attacker that can mail packets to a goal server can mail a stream of CONTINUATION frames that will not be appended to the header listing in memory but will nevertheless be processed and decoded by the server or will be appended to the header list, resulting in an out of memory (OOM) crash.”

Like in HTTP/1, HTTP/2 works by using header fields inside requests and responses. These header fields can comprise header lists, which in switch, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted inside HEADER or what is actually referred to as CONTINUATION frames.

“The CONTINUATION body (form=0x9) is utilized to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any selection of CONTINUATION frames can be sent, as lengthy as the preceding frame is on the exact stream and is a HEADERS, Thrust_Guarantee, or CONTINUATION frame with out the Stop_HEADERS flag established.”

The very last frame made up of headers will have the Conclusion_HEADERS flag established, which indicators the distant endpoint that it is the conclusion of the header block.

According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within various HTTP/2 protocol implementations that pose a far more extreme danger when compared to the Immediate Reset attack that came to light in Oct 2023.

“A solitary machine (and in certain situations, a mere solitary TCP relationship or a handful of frames) has the possible to disrupt server availability, with consequences ranging from server crashes to substantial efficiency degradation,” the researcher said. “Remarkably, requests that constitute an attack are not noticeable in HTTP accessibility logs.”

The vulnerability, at its main, has to do with incorrect managing of HEADERS and several CONTINUATION frames that pave the way for a DoS problem.

In other words, an attacker can initiate a new HTTP/2 stream from a concentrate on server making use of a susceptible implementation and send HEADERS and CONTINUATION frames with no set Close_HEADERS flag, developing a under no circumstances-ending stream of headers that the HTTP/2 server would will need to parse and retailer in memory.

Even though the exact consequence differs relying on the implementation, impacts variety from instantaneous crash after sending a few of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby impacting server availability.

“RFC 9113 […] mentions several security issues that might crop up if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the identical time, it does not point out a specific situation in which CONTINUATION frames are despatched without the need of the final Conclude_HEADERS flag which can have repercussions on impacted servers.”

The issue impacts many initiatives this sort of as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Site visitors Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

End users are proposed to up grade afflicted software to the latest model to mitigate potential threats. In the absence of a fix, it truly is encouraged to think about quickly disabling HTTP/2 on the server.

Observed this report intriguing? Stick to us on Twitter  and LinkedIn to read a lot more exceptional information we publish.