New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct Denial of Service (DoS) attacks.
The technique has a code name HTTP/2 CONTINUED Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not adequately limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an April 3, 2024 advisory.
“An attacker who can send packets to a destination server can send a stream of CONTINUATION frames that will not be added to the header list in memory but will still be processed and decoded by the server or will be added to the header list, causing a out-of-memory (OOM) crash.”
As in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields may comprise lists of headers which are in turn serialized and divided into header blocks. The header blocks are then divided into block fragments and transmitted within HEADERS or so-called CONTINUATION frames.
“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” reads the RFC 7540 documentation.
“You can send any number of CONTINUATION frames, as long as the previous frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”
The last frame containing the headers will have the END_HEADERS flag set, signaling to the remote endpoint that it is the end of the header block.
According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several implementations of the HTTP/2 protocol that pose a more serious threat than the Rapid Reset attack that came to light in October 2023.
“A single machine (and in some cases, a simple TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Surprisingly, requests that constitute an attack are not visible in HTTP access logs.”
The vulnerability, in its essence, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames paving the way for a DoS condition.
In other words, an attacker can start a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no END_HEADERS flag set, creating an infinite stream of headers that the HTTP/2 server would have need to parse and store in memory.
While the exact result varies depending on the implementation, the impacts range from instant crash after sending a couple of HTTP/2 frames and from out-of-memory crash to CPU exhaustion, thus affecting server availability.
“RFC9113 […] mentions multiple security issues that could arise if CONTINUATION frames are not handled properly,” Nowotarski said.
“At the same time, there is no mention of a specific case where CONTINUATION frames are sent without the trailing END_HEADERS flag, which may impact affected servers.”
The issue affects several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Proxy Envoy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).
Users are advised to update affected software to the latest version to mitigate potential threats. In the absence of a solution, we recommend that you consider temporarily disabling HTTP/2 on your server.