A new research conducted by security expert Bartek Nowotarski has unearthed a potential vulnerability in the HTTP/2 protocol. Known as the CONTINUATION Flood, this exploit allows attackers to conduct denial-of-service (DoS) attacks by flooding a server with CONTINUATION frames.
![HTTP2 Flaw Puts Web Servers at Risk of DoS Attacks [CVE-2024-27983]](https://cdn.sensorstechforum.com/wp-content/uploads/2024/04/HTTP2-Flaw-Puts-Web-Servers-at-Risk-of-DoS-Attacks-CVE-2024-27983-1024x585.jpg)
The CONTINUATION Flood Vulnerability Explained
The issue lies in how HTTP/2 implementations handle CONTINUATION frames within a single stream. Many implementations fail to properly limit or sanitize the number of CONTINUATION frames sent, allowing attackers to overwhelm a server with a stream of frames that can cause memory exhaustion or crashes.
HTTP/2, like its predecessor HTTP/1, uses header fields within requests and responses. These headers are serialized into header blocks, which are then transmitted as block fragments within CONTINUATION frames.
How Can the Vulnerability Be Exploited
Attackers can exploit this vulnerability by sending a continuous stream of CONTINUATION frames without the END_HEADERS flag set, causing the server to parse and store an excessive amount of header data in memory.
This vulnerability poses a severe threat, as a single machine or TCP connection can disrupt server availability, leading to crashes or performance degradation. The attack may not be visible in HTTP access logs, making detection challenging.
Affected Implementations
Several HTTP/2 implementations are affected, including projects like Apache HTTP Server, Node.js, and Golang. Users are advised to upgrade affected software to mitigate risks. If a fix is unavailable, temporarily disabling HTTP/2 can provide protection against this exploit.
Here are multiple CVE listings highlighting the vulnerability in various implementations, as per CERT Coordination Center’s advisory.
CVE-2024-27983
An attacker can render the Node.js HTTP/2 server unavailable by sending a limited amount of HTTP/2 frame packets containing a few HTTP/2 frames. The flaw can leave data in nghttp2 memory after a reset. This could happen when headers with HTTP/2 CONTINUATION frames are sent to the server and the TCP connection is abruptly closed by the client, triggering the Http2Session destructor while header frames are still being processed, causing a race condition.
CVE-2024-27919
Envoy’s oghttp codec fails to reset a request when header map limits are exceeded. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set, leading to unlimited memory consumption.
CVE-2024-2758
Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.
CVE-2024-2653
amphp/http collects HTTP/2 CONTINUATION frames in an unbounded buffer and does not check the header size limit until receiving the END_HEADERS flag, resulting in an Out-of-Memory (OOM) crash. amphp/http-client and amphp/http-server are indirectly affected if used with an unpatched version of amphp/http. Earlier versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
CVE-2023-45288
The Go packages net/http and net/http2 do not limit the number of CONTINUATION frames read for an HTTP/2 request, allowing an attacker to provide an excessively large set of headers for a single request, leading to excessive CPU consumption.
CVE-2024-28182
An implementation using the nghttp2 library will continue to receive CONTINUATION frames and will not callback to the application to allow visibility into this information before resetting the stream, resulting in a Denial of Service (DoS) vulnerability.
CVE-2024-27316
HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be continuously sent by an attacker to an Apache Httpd implementation, which fails to terminate the request early.
CVE-2024-31309
A HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Versions from 8.0.0 through 8.1.9 and from 9.0.0 through 9.2.3 are affected.
CVE-2024-30255
The HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier is vulnerable to CPU exhaustion due to a flood of CONTINUATION frames. Envoy’s HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames, even after exceeding Envoy’s header map limits. This enables an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set, causing CPU utilization to consume approximately 1 core per 300Mbit/s of traffic.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: