Recent security breaches, known as “ CONTINUATION Flood ”, have been identified in the HTTP/2 protocol. These vulnerabilities can trigger denial of service (DoS) attacks, causing web servers to shut down over a single TCP connection in certain configurations.
HTTP/2, an evolution of the HTTP protocol standardized in 2015, was developed to optimize web performance. It introduces binary formatting for more efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to minimize costs.
But recently discovered security vulnerabilities, called “ CONTINUATION Flood ”, were highlighted by researcher Barket Nowotarski, from the specialist security site nowotarski.info. These flaws are associated with the use of HTTP/2 CONTINUATION frames, which are not properly controlled or limited in many implementations of the protocol. But how dangerous are these flaws?
The attack protocol via CONTINUATION Flood flaws
HTTP/2 messages include header and trailer sections serialized in blocks. These blocks can be fragmented over several frames for transmission, and CONTINUATION frames are used to reconstruct the stream.
However, the lack of adequate frame controls in many implementations allows attackers to potentially send an extremely long sequence of frames simply by failing to set the END_HEADERS flag.
“ Implementations without header timeouts required only a single HTTP/2 connection to crash the server », warns the researcher, who adds that “ Given that Cloudflare Radar estimates HTTP traffic data to be greater than 70% of all Internet transfers and the importance of the projects affected, I think we can assume that a large portion of the Internet has been affected by an easy to exploit vulnerability. exploit: in many cases, a single TCP connection was enough to crash the server “.
This technique results in server shutdowns due to low memory failures or exhaustion of CPU resources while processing these frames.
An upgrade as protection while waiting for patches
An alert published this Thursday, April 4, 2024 by the CERT Coordination Center (CERT-CC) lists several CVE identifiers corresponding to different HTTP/2 implementations vulnerable to these attacks. These implementations allow different levels of denial of service attacks, including memory leaks, memory consumption, and CPU overload.
According to CERT-CC, HTTP/2 vendors and libraries confirmed to be affected by at least one of the listed CVEs include Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP and the Go programming language. Barket Nowotarski argues that the problem is more serious than the attack ” HTTP/2 Rapid Reset » revealed last October by the main cloud service providers, and which has been actively exploited since August 2023.
Additionally, the researcher warns that the issue would be complex for server administrators without proper HTTP/2 knowledge to debug and mitigate. Indeed, malicious requests would not be visible in the access logs if advanced frame analysis was not enabled on the server, which is not the case in most configurations.
An urgent upgrade is vital, before vulnerabilities are exploited by hackers.
Source : Bleeping Computer, Nowotarski, CERT Coordination Center
1