HTTP/2 CONTINUATION Frames Vulnerability Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-24-120 Final 1 1 2024-05-14T00:00:00 Current version 2024-05-14T00:00:00 2024-12-04T00:00:00 HTTP CONTINUATION Flood can be used to launch a serious DoS attack that can cause the crash of the target server with just one attacking machine (or even one TCP connection to the target).It works by:- initiating an HTTP stream against the target- then sending headers and CONTINUATION frames with no END_HEADERS flag set - that creates a never ending stream that could even cause an instant crashThis works because there's many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream.CVE-2024-27316 for Apache HTTP Server (httpd):HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.CVE-2024-24549 for Apache Tomcat:When processing an HTTP/2 request, if the request exceeded any of theconfigured limits for headers, the associated HTTP/2 stream was notreset until after all of the headers had been processed.CVE-2024-30255 for Envoy proxy (nghttp2):Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.CVE-2023-45288 for Golang:An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.CVE-2024-28182 for nghttp2:nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.CVE-2024-27983 for Node.js:An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.CVE-2024-3302 for Firefox:There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. None Denial of service https://fortiguard.fortinet.com/psirt/FG-IR-24-120 HTTP/2 CONTINUATION Frames Vulnerability https://nowotarski.info/http2-continuation-flood-technical-details/ https://nowotarski.info/http2-continuation-flood-technical-details/ FortiAuthenticator 6.6.0 FortiAuthenticator 6.5.4 FortiAuthenticator 6.5.3 FortiAuthenticator 6.5.2 FortiAuthenticator 6.5.1 FortiAuthenticator 6.5.0 FortiSandbox 4.4.5 FortiSandbox 4.4.4 FortiSandbox 4.4.3 FortiSandbox 4.4.2 FortiSandbox 4.4.1 FortiSandbox 4.4.0 FortiSwitch 7.4.3 FortiSwitch 7.4.2 FortiSwitch 7.4.1 FortiSwitch 7.4.0 FortiAuthenticator-6.6.0 FortiAuthenticator-6.5.4 FortiAuthenticator-6.5.3 FortiAuthenticator-6.5.2 FortiAuthenticator-6.5.1 FortiAuthenticator-6.5.0 FortiSandbox-4.4.5 FortiSandbox-4.4.4 FortiSandbox-4.4.3 FortiSandbox-4.4.2 FortiSandbox-4.4.1 FortiSandbox-4.4.0 FortiSwitch-7.4.3 FortiSwitch-7.4.2 FortiSwitch-7.4.1 FortiSwitch-7.4.0 5.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-24-120 HTTP/2 CONTINUATION Frames Vulnerability Reference> https://nowotarski.info/http2-continuation-flood-technical-details/ https://nowotarski.info/http2-continuation-flood-technical-details/