Exploiting HTTP/2 CONTINUATION frames for DoS attacks

SnykSec - Apr 9 - - Dev Community

About the vulnerability

The vulnerability lies in the way HTTP/2 implementations handle CONTINUATION frames, which are used to transmit header blocks larger than the maximum frame size. Attackers exploit this weakness by sending an excessive number of CONTINUATION frames within a single HTTP/2 stream. This flood of frames overwhelms the server's capacity to process them efficiently.

The severity of this vulnerability was highlighted by Bartek Nowotarski, who noted that it poses a more significant threat compared to previous incidents, such as the 'HTTP/2 Rapid Reset' attack. Furthermore, this vulnerability has been actively exploited since August 2023.

What makes this attack particularly concerning is its potential to crash web servers with just a single TCP connection or even just a handful of frames. As a result, affected servers may experience substantial performance degradation or complete unavailability.

This vulnerability affects a wide range of vendors and HTTP/2 libraries, including but not limited to Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Affected versions

Project Affected versions CVE ID
amphp/http >= 2.0.0 && <= 2.1.0, <= 1.7.2 CVE-2024-2653
Apache HTTP Server (httpd) 2.4.17-2.4.58 CVE-2024-27316
Apache Tomcat <=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98 CVE-2024-24549
Apache Traffic Server 8.0.0-8.1.9, 9.0.0-9.2.3 CVE-2024-31309
Envoy proxy (oghttp) 1.29.0, 1.29.1 CVE-2024-27919
Envoy proxy (nghttp2) <=1.29.2 CVE-2024-30255
Golang <=1.20, <=1.21.8, <=1.22.1 CVE-2023-45288**
nghttp2 <=1.60.0 CVE-2024-28182
Node.js <=18.20.0, <=20.12.0, <=21.7.1 CVE-2024-27983
Tempesta FW 0.7.0 CVE-2024-2758

Impact

Given the widespread use of HTTP/2 and its prevalence in internet traffic (estimated to be above 70% by Cloudflare Radar), the impact of this vulnerability is significant. It underscores the critical need for prompt patching and robust security measures to mitigate the risk of exploitation and protect web servers from devastating denial of service (DoS) and security restriction bypass attacks.

Mitigation

Update the impacted program to the most recent version, with the vulnerability patched in. If a patch is not available, consider temporarily turning off HTTP/2 on the server.

Solution

Patch and update: Ensure the most recent security updates are applied to your server software, relevant libraries, and HTTP/2 implementations. Check software suppliers' updates frequently, and when updates are available, install them right away to fix known vulnerabilities.

Put rate limiting into practice: Set rate limits to limit the number of requests or frames that may be handled in a given amount of time. This may lessen the effects of heavy traffic or floods.

Analyze and monitor traffic: Keep an eye out for any odd patterns or spikes in incoming traffic that could point to a possible assault. Examine unprocessed HTTP traffic to detect and address malicious requests that take advantage of holes in HTTP/2 implementations.

Use web application firewalls (WAFs): Set up WAFs to filter incoming traffic and stop malicious requests from reaching your server. Set up WAF rules to identify and stop known attack patterns linked to DoS assaults on HTTP/2.

Put network-level defenses into practice: To identify and stop suspicious traffic patterns suggestive of DoS attacks aimed at HTTP/2 implementations, employ network-level defenses like intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Diversify server implementations: Work toward distributing your server implementations among other projects or providers. This can increase resistance to attacks and lessen the effect of vulnerabilities unique to a given implementation.

Detecting vulnerabilities with Snyk

  1. amphp/http (CVE-2024-2653) - Allocation of Resources Without Limits or Throttling
  2. Apache HTTP Server (CVE-2024-27316) - Uncontrolled Resource Consumption ('Resource Exhaustion')
  3. Apache Tomcat (CVE-2024-24549) - Improper Input Validation
  4. Apache Traffic Server (CVE-2024-31309) - Uncontrolled Resource Consumption ('Resource Exhaustion')
  5. Envoy proxy (CVE-2024-27919 and CVE-2024-30255) - Detection of Error Condition Without Action and Uncontrolled Resource Consumption ('Resource Exhaustion')
  6. Golang (CVE-2023-45288) - Resource Exhaustion
  7. h2 Rust crate
  8. nghttp2 (CVE-2024-28182) - Resource Exhaustion
  9. Node.js (CVE-2024-27983)  - Resource Exhaustion
  10. Tempesta FW (CVE-2024-2758) - Allocation of Resources Without Limits or Throttling

References

  1. https://nowotarski.info/
  2. https://nowotarski.info/http2-continuation-flood-technical-details/#reachable-assertion-crash-nodejs-special-case
  3. https://datatracker.ietf.org/doc/html/rfc7540
  4. https://www.securityweek.com/new-http-2-dos-attack-potentially-more-severe-than-record-breaking-rapid-reset/
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .