Apr 04, 2024NewsroomVulnerability / Internet Protocol

New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.

The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.

“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”

Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADER or what’s called CONTINUATION frames.

“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”

The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it’s the end of the header block.

According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that came to light in October 2023.

“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”

The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.

In other words, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”

The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it’s advised to consider temporarily disabling HTTP/2 on the server.

Mar 20, 2024NewsroomDoS Attack / Network Security

A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.

Called Loop DoS attacks, the approach pairs “servers of these protocols in such a way that they communicate with each other indefinitely,” researchers from the CISPA Helmholtz-Center for Information Security said.

UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.

The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.

“It pairs two network services in such a way that they keep responding to one another’s messages indefinitely,” the researchers said. “In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.”

Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.

The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other’s resources and making either of the services unresponsive.

“If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely,” Yepeng Pan and Christian Rossow explained.

CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.

While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

“Attackers need a single spoofing-capable host to trigger loops,” the researchers noted. “As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38.”

Jan 18, 2024NewsroomFirmware Security / Vulnerability

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.

Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to achieve remote code execution, denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information.

UEFI firmware – which is responsible for booting the operating system – from AMI, Intel, Insyde, and Phoenix Technologies are impacted by the shortcomings.

EDK II incorporates its own TCP/IP stack called NetworkPkg to enable network functionalities available during the initial Preboot eXecution Environment (PXE, pronounced “pixie”) stage, which allows for management tasks in the absence of a running operating system.

In other words, it is a client-server interface to boot a device from its network interface card (NIC) and allows networked computers that are not yet loaded with an operating system to be configured and booted remotely by an administrator.

The code to PXE is included as part of the UEFI firmware on the motherboard or within the NIC firmware read-only memory (ROM).

The issues identified by Quarkslab within the EDKII’s NetworkPkg encompass overflow bugs, out-of-bounds read, infinite loops, and the use of weak pseudorandom number generator (PRNG) that result in DNS and DHCP poisoning attacks, information leakage, denial of service, and data insertion attacks at the IPv4 and IPv6 layer.

The list of flaws is as follows –

• CVE-2023-45229 (CVSS score: 6.5) – Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
• CVE-2023-45230 (CVSS score: 8.3) – Buffer overflow in the DHCPv6 client via a long Server ID option
• CVE-2023-45231 (CVSS score: 6.5) – Out-of-bounds read when handling a ND Redirect message with truncated options
• CVE-2023-45232 (CVSS score: 7.5) – Infinite loop when parsing unknown options in the Destination Options header
• CVE-2023-45233 (CVSS score: 7.5) – Infinite loop when parsing a PadN option in the Destination Options header
• CVE-2023-45234 (CVSS score: 8.3) – Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
• CVE-2023-45235 (CVSS score: 8.3) – Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
• CVE-2023-45236 (CVSS score: 5.8) – Predictable TCP Initial Sequence Numbers
• CVE-2023-45237 (CVSS score: 5.3) – Use of a weak pseudorandom number generator

“The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration,” the CERT Coordination Center (CERT/CC) said in an advisory.

“An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.”