FG-IR-24-120: HTTP/2 CONTINUATION Frames Vulnerability

First published: Tue May 14 2024(Updated: )

HTTP CONTINUATION Flood can be used to launch a serious DoS attack that can cause the crash of the target server with just one attacking machine (or even one TCP connection to the target). It works by:- initiating an HTTP stream against the target- then sending headers and CONTINUATION frames with no END_HEADERS flag set - that creates a never ending stream that could even cause an instant crash This works because there's many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. CVE-2024-27316 for Apache HTTP Server (httpd):HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. CVE-2024-24549 for Apache Tomcat:When processing an HTTP/2 request, if the request exceeded any of theconfigured limits for headers, the associated HTTP/2 stream was notreset until after all of the headers had been processed. CVE-2024-30255 for Envoy proxy (nghttp2):Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic. CVE-2023-45288 for Golang:An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. CVE-2024-28182 for nghttp2:nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. CVE-2024-27983 for Node.js:An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. CVE-2024-3302 for Firefox:There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/fortiguard-psirt-latest
• source/FortiGuard
• agent/type
• agent/severity
• agent/title
• agent/last-modified-date
• agent/weakness
• agent/references
• agent/first-publish-date
• agent/softwarecombine
• agent/event
• agent/description
• agent/tags
• collector/fortiguard-psirt
• agent/software-canonical-lookup
• vendor/fortinet
• canonical/fortinet fortiauthenticator
• version/fortinet fortiauthenticator/.
• version/fortinet fortiauthenticator/6.5.0
• version/fortinet fortiauthenticator/6.5.4
• canonical/fortinet fortisandbox
• version/fortinet fortisandbox/4.4.0
• version/fortinet fortisandbox/4.4.5
• canonical/fortinet fortiswitch
• version/fortinet fortiswitch/7.4.0
• version/fortinet fortiswitch/7.4.3