Cybersecurity researchers recently discovered a new vulnerability in the HTTP/2 protocol, allowing threat actors to conduct Denial of Service (DoS) attacks and even crash servers with a single TCP connection.
The vulnerability is related to the use of HTTP/2 CONTINUATION frames. That’s why the researcher who discovered the vulnerability, Barket Nowotarski, called it “CONTINUATION Flood.”
As explained by BleepingComputerHTTP/2 is the updated version of the HTTP protocol, standardized in 2015. Its purpose was to improve web performance by introducing binary framing for efficient data transfer, multiplexing allowing multiple requests and responses over a single connection, and header compression that the overhead.
Multiple CVEs
With HTTP/2 messages, header and trailer sections are serialized and placed into blocks, which can later be fragmented for transmission. CONTINUATION frames are then used to stitch them together, but the lack of proper frame checks allows a threat actor to send a frame that is too long. The CPU may crash when attempting to process these frames.
“Out of Memory is probably the most boring but most serious cases. There is nothing special about it: no strange logic, no interesting race condition and so on,” said Nowotarski. “The implementations that enable OOM simply did not limit the size of the header list built using CONTINUATION frames.”
“Deployments without header timeout required only one HTTP/2 connection to crash the server.”
Depending on the implementation of HTTP/2, the vulnerabilities are tracked under a different CVE. Some are more disruptive than others and can result in DoS attacks, memory leaks, memory usage and more:
CVE-2024-27983, CVE-2024-27919, CVE-2024-2758, CVE-2024-2653, CVE-2023-45288, CVE-2024-28182, CVE-2024-27316, CVE-2024-31309 and CVE – 2024-30255.
Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language have all since confirmed they are vulnerable to at least one of these CVEs, BleepingComputer found it.