Newly Discovered HTTP/2 Vulnerabilities Enable "CONTINUATION Flood" Denial of Service Attacks

Researchers have uncovered critical vulnerabilities in the HTTP/2 protocol, dubbed "CONTINUATION Flood," that can be exploited to launch denial of service (DoS) attacks and crash web servers using a single TCP connection in certain implementations.

HTTP/2, introduced in 2015 as an update to the HTTP protocol, aimed to enhance web performance by introducing binary framing for efficient data transmission, multiplexing for concurrent requests and responses over a single connection, and header compression to reduce overhead.

The vulnerabilities were identified by researcher Barket Nowotarski and relate to the handling of HTTP/2 CONTINUATION frames in various protocol implementations. These frames are used to assemble fragmented header and trailer sections transmitted across multiple frames.

Certain implementations lack proper checks on these frames, enabling threat actors to exploit them by sending an excessively long string of frames without setting the 'END_HEADERS' flag. This oversight can lead to server crashes due to out-of-memory errors or CPU resource exhaustion during frame processing.

According to Nowotarski, vulnerable implementations may crash servers with just a single HTTP/2 TCP connection due to memory leaks or unlimited header consumption caused by malformed CONTINUATION frames.

The CERT Coordination Center (CERT-CC) has issued an alert listing several CVE IDs corresponding to different HTTP/2 implementations susceptible to these attacks. Vulnerable implementations can suffer from memory leaks, excessive memory consumption, or CPU exhaustion, potentially resulting in denial of service conditions.

Notable CVEs highlighted include:

• CVE-2024-27983 affecting Node.js HTTP/2 server, leading to a memory leak.
• CVE-2024-27919 affecting Envoy's oghttp codec, causing unlimited memory consumption.
• CVE-2024-2758 relating to Tempesta FW, where rate limits fail to prevent DoS attacks.
• CVE-2024-2653 affecting amphp/http, risking crashes due to unbounded buffer usage.
• CVE-2023-45288 affecting Go's net/http and net/http2 packages, resulting in excessive CPU consumption.
• CVE-2024-28182 involving nghttp2 library, allowing DoS without proper stream reset.
• CVE-2024-27316 affecting Apache Httpd, improperly handling CONTINUATION frames.
• CVE-2024-31309 affecting Apache Traffic Server, causing excessive resource consumption.

The impact of these vulnerabilities is severe, with confirmed affected vendors and libraries including Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and Go Programming Language.

Nowotarski emphasized the severity of the issue, surpassing previous HTTP/2 attacks in complexity and ease of exploitation. He warned that diagnosing and mitigating these attacks would pose challenges for server administrators, particularly without advanced HTTP/2 knowledge.

Given the prevalence of HTTP traffic, Nowotarski emphasized the urgency for affected servers and libraries to be promptly updated to mitigate potential exploitation by threat actors seeking to leverage these vulnerabilities for DDoS attacks.