You can now find Cyber Kendra on Google News!

New HTTP/2 Vulnerability Poses Severe Threat to Server Availability

A recently discovered class of vulnerabilities within numerous HTTP/2 protocol implementations, dubbed the "CONTINUATION Flood," has been found to pose a more severe threat compared to the previous "Rapid Reset" attack.

Security researcher Bartek Nowotarski has conducted a deep technical analysis of this vulnerability, revealing its potential to disrupt server availability with alarming ease.

HTTP/2 CONTINUATION Flood Flaw

The CONTINUATION Flood vulnerability exploits the handling of HEADERS and CONTINUATION frames in the HTTP/2 protocol.

By sending a stream of HEADERS frames followed by CONTINUATION frames without setting the END_HEADERS flag, an attacker can create an infinite stream of headers that the server must parse and store in memory. This leads to various adverse outcomes, including:

  1. CPU Exhaustion: The processing of extra headers causes increased CPU usage, resulting in server slowness or complete unresponsiveness.
  2. Out-of-Memory Crashes: Headers from CONTINUATION frames are stored in memory, and without proper limits or timeouts, an attacker can force the server to consume memory indefinitely, leading to crashes.
  3. Crash with Minimal Frames: In some implementations, just a few maliciously crafted frames can crash the server due to bugs in connection handling.
  4. Out-of-memory crash using a single connection. Some implementations simply kept reading headers into memory until memory was full which forced the OS to kill the process.

Notably, requests constituting an attack are not visible in HTTP access logs, making this vulnerability particularly difficult to detect and debug.

Severity and Potential Impact

The CONTINUATION Flood vulnerability has been found in numerous HTTP/2 implementations, including major servers like Apache httpd, Envoy, and various HTTP/2 packages or codecs. In many cases, a single machine, or even a single TCP connection, has the potential to completely disrupt server availability.

Given that HTTP/2 traffic accounts for around 60% of all human HTTP traffic, the potential impact of this vulnerability is significant. Large portions of the internet, including critical business and government APIs and websites, could be affected, potentially incurring millions of dollars in losses or causing chaos in case of targeted attacks.

Coordinated Disclosure and Mitigation

Due to the severity and widespread nature of this vulnerability, CERT/CC has opened a Vulnerability Coordination case to track the issue and facilitate responsible disclosure. Working with technology giants and open-source projects, the researcher has been able to identify and address the vulnerability in multiple implementations.

Server administrators are advised to update their HTTP/2 implementations to the latest patched versions and to monitor for any unusual traffic patterns. Implementing proper rate limiting and frame size limits can help mitigate the impact of potential attacks.

Conclusion

The discovery of the CONTINUATION Flood vulnerability highlights the importance of continuous security research and responsible disclosure in ensuring the safety and stability of the internet.

As HTTP/2 continues to gain widespread adoption, developers and server administrators must remain vigilant and proactive in addressing potential security risks. By working together and sharing knowledge, the tech community can build a more secure and resilient internet for all.

Post a Comment