In the digital landscape, security is paramount, especially for web servers handling vast amounts of data. As per recent reports, a vulnerability has emerged within the HTTP/2 protocol, shedding light on potential Denial of Service (DoS) attacks. Let’s explore the intricacies of the HTTP/2 vulnerability, its implications, and recommended measures for safeguarding against such threats.

Unveiling the HTTP/2 Vulnerability

Web server performance issues can significantly impact user experience and overall website functionality. In a recent revelation, security researcher Bartek Nowotarski uncovered a flaw within the HTTP/2 protocol, termed the HTTP/2 CONTINUATION Flood. This flaw, reported to the CERT Coordination Center (CERT/CC) on January 25, 2024, exploits the CONTINUATION frame, allowing attackers to execute DoS attacks on web servers.

The crux of the vulnerability lies in the mishandling of CONTINUATION frames within the HTTP/2 protocol implementations. Unlike its predecessor HTTP/1, HTTP/2 employs header fields transmitted within requests and responses, organized into header lists and subsequently fragmented into header blocks. These blocks are then transmitted via HEADERS or CONTINUATION frames.

Vulnerability Exploitation

Attackers leverage the flaw by initiating a new HTTP/2 stream against a target server using a vulnerable implementation. By sending headers and CONTINUATION frames without the END_HEADERS flag set, they create an endless stream of headers, overwhelming the server’s capacity to parse and store them in memory.

The ramifications of these network protocol vulnerabilities are significant, ranging from server crashes to substantial performance degradation. Notably, affected servers may not log the malicious requests, complicating detection efforts. Furthermore, the vulnerability poses a more severe threat compared to previous exploits like the Rapid Reset attack.

HTTP/2 Vulnerability:Flaws in Various Implementations

Multiple implementations of the HTTP/2 protocol are susceptible to this vulnerability, each presenting its unique set of challenges:

1. CVE-2024-27983 – Node.js: Vulnerable to leaving data in memory after reset, leading to a race condition.
2. CVE-2024-27919 – Envoy: Vulnerable to unlimited memory consumption due to unreset requests.
3. CVE-2024-2758 – Tempesta FW: Vulnerable due to inadequate rate limits.
4. CVE-2024-2653 – amphp/http: Prone to OOM crashes due to unbounded buffer for CONTINUATION frames.
5. CVE-2023-45288 – Go packages: Vulnerable to excessive CPU consumption due to unregulated CONTINUATION frames.
6. CVE-2024-28182 – nghttp2 library: Vulnerable to DoS due to continuous reception of CONTINUATION frames without callback.
7. CVE-2024-27316 – Apache Httpd: Vulnerable to improper termination of requests with CONTINUATION frames.
8. CVE-2024-31309 – Apache Traffic Server: Vulnerable to resource consumption due to CONTINUATION DoS attacks.
9. CVE-2024-30255 – Envoy: Vulnerable to CPU exhaustion due to flood of CONTINUATION frames.

Given the severity of this vulnerability, prompt action is imperative for web server protection. To mitigate potential threats posed by this vulnerability, it is imperative to take proactive measures:

• Update Software: Users are advised to upgrade affected software to the latest version to patch vulnerabilities.
• Temporary Disabling: In the absence of a fix, consider temporarily disabling HTTP/2 on the server to mitigate the risk.

Conclusion

Secure communication protocols are essential for protecting sensitive data transmission over networks. The HTTP/2 CONTINUATION Flood vulnerability poses a huge risk to web server security, potentially leading to service disruptions and performance degradation. By understanding the intricacies of this flaw and implementing appropriate mitigation strategies, organizations can fortify their defenses against potential threats, safeguarding their digital infrastructure and ensuring uninterrupted service delivery.

In a constantly evolving digital landscape, vigilance and proactive security measures are paramount to mitigate HTTP/2 security risks and safeguard against potential cybersecurity threats. 

Stay informed, stay secure.

The sources for this piece include articles in The Hacker News and Bleeping Computer.

The post HTTP/2 Vulnerability: Protect Web Servers from DoS Attacks appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/http-2-vulnerability-protect-web-servers-from-dos-attacks/