HTTP/2 CONTINUATION Frames Vulnerability

Fortiguard Security Advisory

HTTP CONTINUATION Flood can be used to launch a serious DoS attack that can cause the crash of the target server with just one attacking machine (or even one TCP connection to the target).It works by:- initiating an HTTP stream against the target- then sending headers and CONTINUATION frames with no END_HEADERS flag set – that creates a never ending stream that could even cause an instant crashThis works because there’s many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream.CVE-2024-27316 for Apache HTTP Server (httpd):HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.CVE-2024-24549 for Apache Tomcat:When processing an HTTP/2 request, if the request exceeded any of theconfigured limits for headers, the associated HTTP/2 stream was notreset until after all of the headers had been processed.CVE-2024-30255 for Envoy proxy (nghttp2):Envoy’s HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy’s header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.CVE-2023-45288 for Golang:An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request’s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.CVE-2024-28182 for nghttp2:nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.CVE-2024-27983 for Node.js:An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.CVE-2024-3302 for Firefox:There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser.


Leave a Reply

Your email address will not be published. Required fields are marked *