HTTP/2 CONTINUATION Frames Vulnerability

Summary

HTTP CONTINUATION Flood can be used to launch a serious DoS attack that can cause the crash of the target server with just one attacking machine (or even one TCP connection to the target).

It works by:
- initiating an HTTP stream against the target
- then sending headers and CONTINUATION frames with no END_HEADERS flag set
- that creates a never ending stream that could even cause an instant crash

This works because there's many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream.

CVE-2024-27316 for Apache HTTP Server (httpd):
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

CVE-2024-24549 for Apache Tomcat:
When processing an HTTP/2 request, if the request exceeded any of the
configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

CVE-2024-30255 for Envoy proxy (nghttp2):
Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.

CVE-2023-45288 for Golang:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

CVE-2024-28182 for nghttp2:
nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.

CVE-2024-27983 for Node.js:
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

CVE-2024-3302 for Firefox:
There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser.

Products confirmed NOT impacted:

• FortiMail
• FortiDeceptor
• FortiVoice
• FortiADC
• FortiRecorder
• FortiAnalyzer
• FortiClientEMS
• FortiManager
• FortiOS
• FortiNAC
• FortiNAC-F
• FortiPortal
• FortiWeb
• FortiAnalyzer-BigData
• FortiCloud-MFGS
• FortiDDoS-F
• FortiLANCloud
• FortiProxy
• FortiSIEM
• FortiWLM

Products under investigation:

• FortiWANController
• FortiWAN
• FortiTester
• FortiStack
• FortiSOAR
• FortiIsolator
• FortiDAST
• FortiConnect
• FortiCloud-SOCaaS
• FortiCloud
• FortiSASE

Timeline

2024-05-14: Initial publication
2024-05-15: Typo fixed
2024-11-21: Products information updated
2024-12-04: Products information updated

References

• https://nowotarski.info/http2-continuation-flood-technical-details/