Protect yourself against future threats.
===========================================================================
AUSCERT Security Bulletin
ASB-2024.0058
HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
5 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HTTP/2
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Mitigation
CVE Names: CVE-2024-2758 CVE-2024-2653 CVE-2023-45288
CVE-2024-28182 CVE-2024-31309 CVE-2024-30255
CVE-2024-27316 CVE-2024-27983 CVE-2024-27919
Comment: CVSS (Max): 7.5* CVE-2024-27919 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: GitHub
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* Not all CVSS available when published
OVERVIEW
HTTP allows messages to include named fields in both header and
trailer sections. These header and trailer fields are serialised as
field blocks in HTTP/2, so that they can be transmitted in multiple
fragments to the target implementation. Many HTTP/2 implementations
do not properly limit or sanitize the amount of CONTINUATION frames
sent within a single stream. An attacker that can send packets to a
target server can send a stream of CONTINUATION frames that will
not be appended to the header list in memory but will still be
processed and decoded by the server or will be appended to the
header list, causing an out of memory (OOM) crash [1][2].
IMPACT
Successful exploitation of this vulnerability can allow an attacker
the capability to launch DoS attacks against servers utilizing
vulnerable implementations [2].
MITIGATION
Different HTTP/2 implementations may have separate, unique
vulnerabilities specific to that implementation. It is important to
note that it may be difficult to analyze incoming malicious traffic
exploiting this vulnerability as the HTTP request is not properly
completed. Analysis of raw HTTP traffic may be necessary to
determine an attack utilizing this vulnerability [2].
REFERENCES
[1] New HTTP/2 DoS attack can crash web servers with a single
connection
https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
[2] HTTP/2 CONTINUATION frames can be utilized for DoS attacks
https://kb.cert.org/vuls/id/421644
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================