HTTP messages can contain named fields in both header and trailer sections. CERT/CC experts explained that both header and trailer fields are serialized as field blocks in HTTP/2 to transmit them in multiple fragments to the target implementation. Many HTTP/2 implementations don’t correctly address limiting or sanitizing the amount of CONTINUATION frames sent within a single stream. An attacker can exploit this issue by sending a stream of CONTINUATION frames. These frames may not be appended to the header list in memory but will still be processed and decoded by the server, potentially causing an out-of-memory (OOM) crash.
The attack technique was named HTTP/2 CONTINUATION Flood, the researcher Bartek Nowotarski reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“HTTP/2 CONTINUATION frames are used to continue a sequence of field block fragments. They are utilized in order to split header blocks across multiple frames. The other two types of header block fragments are HEADERS or PUSH_PROMISE. CONTINUATION frames can be utilized to continue a header block fragment that could not be transmitted by the HEADERS or PUSH_PROMISE frames. A header block is considered completed when the server receives a set END_HEADERS flag.” reads the advisory published by CERT/CC. “This is intended to denote that there are no further CONTINUATION, HEADERS, or PUSH_PROMISE frames. A vulnerability has been discovered within multiple implementations that does not limit the amount of CONTINUATION frames that can be sent within a single stream.”
Nowotarski explained that the CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. Compared to the Rapid Reset, CONTINUATION Flood has a more severe impact on a single machine. The researchers pointed out that it has the potential to disrupt server availability, causing server crashes and performance degradation.
Below are the flaw impacting different implementations.
CVE-2024-27983 – An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
CVE-2024-27919 – Envoy’s oghttp codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.
CVE-2024-2758 – Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.
CVE-2024-2653 – amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they’re used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
CVE-2023-45288 – The Go packages net/http and net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
CVE-2024-28182 – An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
CVE-2024-27316 – HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be sent in a continuous stream by an attacker to an Apache Httpd implementation, which will not properly terminate the request early.
CVE-2024-31309 – HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
CVE-2024-30255 – HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoys HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoys header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.
CERT/CC highlighted that it may be difficult to analyze incoming traffic to detect exploitation attempts as the HTTP request is not properly completed.
“Analysis of raw HTTP traffic may be necessary to determine an attack utilizing this vulnerability.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, HTTP/2 CONTINUATION Flood)