CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://kb.cert.org/vuls/id/421644 announces:

> HTTP/2 CONTINUATION frames can be utilized for DoS attacks
> ==========================================================
>
> Vulnerability Note VU#421644
> Original Release Date: 2024-04-03 | Last Revised: 2024-04-03
>
> Overview
> --------
>
> HTTP allows messages to include named fields in both header and
> trailer sections. These header and trailer fields are serialised as
> field blocks in HTTP/2, so that they can be transmitted in multiple
> fragments to the target implementation. Many HTTP/2 implementations do
> not properly limit or sanitize the amount of CONTINUATION frames sent
> within a single stream. An attacker that can send packets to a target
> server can send a stream of CONTINUATION frames that will not be
> appended to the header list in memory but will still be processed and
> decoded by the server or will be appended to the header list, causing
> an out of memory (OOM) crash.
>
> Description
> -----------
>
> HTTP/2 utilizes header fields within HTTP request and response
> messages. Header fields can comprise header lists, which in turn are
> broken into header blocks. These header blocks are transmitted in
> multiple fragments to the target implementation. HTTP/2 CONTINUATION
> frames are used to continue a sequence of field block fragments. They
> are utilized in order to split header blocks across multiple
> frames. The other two types of header block fragments are HEADERS or
> PUSH_PROMISE. CONTINUATION frames can be utilized to continue a header
> block fragment that could not be transmitted by the HEADERS or
> PUSH_PROMISE frames. A header block is considered completed when the
> server receives a set END_HEADERS flag. This is intended to denote
> that there are no further CONTINUATION, HEADERS, or PUSH_PROMISE
> frames. A vulnerability has been discovered within multiple
> implementations that does not limit the amount of CONTINUATION frames
> that can be sent within a single stream.
>
> The implementation will continue to receive frames as long as the
> END_HEADERS flag is not set during these communications. An attacker
> can initialize a connection to a server with typical HTTP/2 frames and
> then receive initial frames from the server. The attacker can then
> begin an HTTP request with no set END_HEADERS flags. This can allow an
> attacker to send a stream of CONTINUATION frames to the target server,
> which can result in an out-of-memory crash, enabling an attacker to
> launch a denial of service (DoS) attack against a target server using
> a vulnerable implementation.
>
> Additionally, an attacker can send HPACK Huffman encoded CONTINUATION
> frames to a target implementation. This can cause CPU resource
> exhaustion and result in a DoS as the the CPU must decode every
> encoded frame that it receives.
>
> Below are several CVE listings to reflect the vulnerability within
> different implementations.
>
> CVE-2024-27983
>
> An attacker can make the Node.js HTTP/2 server unavailable by sending
> a small amount of HTTP/2 frames packets with a few HTTP/2 frames
> inside. It is possible to leave some data in nghttp2 memory after
> reset when headers with HTTP/2 CONTINUATION frame are sent to the
> server and then a TCP connection is abruptly closed by the client
> triggering the Http2Session destructor while header frames are still
> being processed (and stored in memory) causing a race condition.
>
> CVE-2024-27919
>
> Envoy's oghttp codec does not reset a request when header map limits
> have been exceeded. This allows an attacker to send an sequence of
> CONTINUATION frames without the END_HEADERS bit set causing unlimited
> memory consumption.
>
> CVE-2024-2758
>
> Tempesta FW rate limits are not enabled by default. They are either
> set too large to capture empty CONTINUATION frames attacks or too
> small to handle normal HTTP requests appropriately.
>
> CVE-2024-2653
>
> amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded
> buffer and will not check the header size limit until it has received
> the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and
> amphp/http-server are indirectly affected if they're used with an
> unpatched version of amphp/http. Early versions of amphp/http-client
> with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
>
> CVE-2023-45288
>
> The Go packages net/http and net/http2 packages do not limit the
> number of CONTINUATION frames read for an HTTP/2 request, which
> permits an attacker to provide an arbitrarily large set of headers for
> a single request, that will be read, decoded, and subsequently
> discarded, which may result in excessive CPU consumption.
>
> CVE-2024-28182
>
> An implementation using the nghttp2 library will continue to receive
> CONTINUATION frames, and will not callback to the application to allow
> visibility into this information before it resets the stream,
> resulting in a DoS.
>
> CVE-2024-27316
>
> HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be
> sent in a continuous stream by an attacker to an Apache Httpd
> implementation, which will not properly terminate the request early.
>
> CVE-2024-31309
>
> HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to
> consume more resources on the server. Version from 8.0.0 through
> 8.1.9, from 9.0.0 through 9.2.3 are affected.
>
> CVE-2024-30255
>
> HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are
> vulnerable to CPU exhaustion due to flood of CONTINUATION
> frames. Envoys HTTP/2 codec allows the client to send an unlimited
> number of CONTINUATION frames even after exceeding Envoys header map
> limits. This allows an attacker to send a sequence of CONTINUATION
> frames without the END_HEADERS bit set causing CPU utilization,
> consuming approximately 1 core per 300Mbit/s of traffic.
>
> Impact
> ------
>
> Successful exploitation of this vulnerability can allow an attacker
> the capability to launch DoS attacks against servers utilizing
> vulnerable implementations.
>
> Solution
> --------
>
> Different HTTP/2 implementations may have separate, unique
> vulnerabilities specific to that implementation. It is important to
> note that it may be difficult to analyze incoming malicious traffic
> exploiting this vulnerability as the HTTP request is not properly
> completed. Analysis of raw HTTP traffic may be necessary to determine
> an attack utilizing this vulnerability.
>
> Acknowledgements
> ----------------
>
> Thank you to Bartek Nowotarski for reporting the vulnerability.
> This document was written by Christopher Cullen.

https://kb.cert.org/vuls/id/421644 has links to further information
from various vendors about how this affects their products.

The writeup from the researcher who found & reported this is at
https://nowotarski.info/http2-continuation-flood-technical-details/

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris