New research has discovered that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct a denial of service (DoS) attack.
The technology is codenamed HTTP/2 continues to flood Security researcher Bartek Nowotarski reported this issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not properly limit or sanitize the number of CONTINUATION frames sent in a single stream,” CERT/CC said in an April 3, 2024 advisory.
“An attacker able to send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory, but will still be processed and decoded by the server, or will be appended to the header list. This results in an Out of Memory (OOM) crash.”
Like HTTP/1, HTTP/2 uses header fields in requests and responses. These header fields can contain header lists, which are in turn serialized and broken into header chunks. The header blocks are then divided into block fragments and transmitted in headers or so-called contiguous frames.
The documentation for RFC 7540 reads: “The CONTINUATION frame (type = 0x9) is used to continue a series of header block fragments.”
“Any number of CONTINUATION frames may be sent as long as the previous frame is on the same stream and was a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”
The last frame containing headers will set the END_HEADERS flag, which signals to the remote endpoint that it is the end of a header block.
Nowotarski said that CONTINUATION Flood is a class of vulnerabilities in multiple HTTP/2 protocol implementations that poses a more serious threat than the rapid reset attack exposed in October 2023.
“A single machine (and in some cases, just a TCP connection or a few frames) has the potential to disrupt server availability, with consequences including server crashes and significant performance degradation,” the researchers said. “Notable Yes, the requests that constitute the attack are not visible in the HTTP access logs.”
The core of the vulnerability is related to incorrect handling of headers and multiple CONTINUATION frames, which paves the way for a DoS condition.
In other words, an attacker could use a vulnerable implementation to initiate a new HTTP/2 stream against a target server and send HEADERS and CONTINUATION frames without the END_HEADERS flag set, thereby creating the never-ending request required by the HTTP/2 server. The terminated header stream is parsed and stored in memory.
While specific results vary by implementation, the impact ranges from crashing immediately after sending a few HTTP/2 frames, to out-of-memory crashes, to CPU exhaustion, impacting server availability.
“RFC 9113 […] Mentioned that multiple security issues may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.
“Also, it does not mention the specific circumstances of sending CONTINUATION frames without the final END_HEADERS flag, which may have an impact on affected servers.”
This issue affects multiple projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309) , Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-278324- 24-2 Tempesta FW (CVE-2024-2758).
Users are advised to upgrade affected software to the latest version to mitigate potential threats. If there is no fix, it is recommended to consider temporarily disabling HTTP/2 on the server.
