Protect yourself against future threats.
=========================================================================== AUSCERT Security Bulletin ASB-2024.0058 HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks 5 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HTTP/2 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Mitigation CVE Names: CVE-2024-2758 CVE-2024-2653 CVE-2023-45288 CVE-2024-28182 CVE-2024-31309 CVE-2024-30255 CVE-2024-27316 CVE-2024-27983 CVE-2024-27919 Comment: CVSS (Max): 7.5* CVE-2024-27919 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: GitHub Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * Not all CVSS available when published OVERVIEW HTTP allows messages to include named fields in both header and trailer sections. These header and trailer fields are serialised as field blocks in HTTP/2, so that they can be transmitted in multiple fragments to the target implementation. Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash [1][2]. IMPACT Successful exploitation of this vulnerability can allow an attacker the capability to launch DoS attacks against servers utilizing vulnerable implementations [2]. MITIGATION Different HTTP/2 implementations may have separate, unique vulnerabilities specific to that implementation. It is important to note that it may be difficult to analyze incoming malicious traffic exploiting this vulnerability as the HTTP request is not properly completed. Analysis of raw HTTP traffic may be necessary to determine an attack utilizing this vulnerability [2]. REFERENCES [1] New HTTP/2 DoS attack can crash web servers with a single connection https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/ [2] HTTP/2 CONTINUATION frames can be utilized for DoS attacks https://kb.cert.org/vuls/id/421644 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================