CGA-grww-v9jg-rhw2
Denial of Service vulnerability in stdlib (Go)
What is CGA-grww-v9jg-rhw2 About?
This vulnerability allows an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data. It can lead to resource exhaustion or processing overhead, resulting in a Denial of Service. The exploit leverages HTTP/2 specific frames and is moderately complex to craft.
Affected Software
- stdlib
- <1.21.9
- golang.org/x/net
- <0.23.0
- net/http
- <1.21.9
- >1.22.0-0, <1.22.2
- golang.org/x/net/http2
- <0.23.0
Technical Details
The vulnerability stems from the HTTP/2 protocol's handling of HEADERS and CONTINUATION frames, specifically in how HPACK state is maintained and parsed. An attacker sends an excessive number of CONTINUATION frames. Even when a request's headers exceed MaxHeaderBytes, the system still parses the excess headers, although no memory is allocated for storage. This allows attackers to force the server to parse an arbitrary amount of data, including Huffman-encoded data, which is computationally expensive for the server to decode compared to the effort for the attacker to send. The attack vector involves sending specially crafted HTTP/2 requests with numerous CONTINUATION frames.
What is the Impact of CGA-grww-v9jg-rhw2?
Successful exploitation may allow attackers to consume excessive CPU resources, degrade server performance, and cause a Denial of Service for legitimate users.
What is the Exploitability of CGA-grww-v9jg-rhw2?
Exploitation involves sending carefully constructed HTTP/2 requests with an excessive number of CONTINUATION frames. This requires a moderate understanding of HTTP/2 protocol specifics. No authentication is required, as the attack targets the parsing of initial request headers. No specific privileges are needed, and the attack is remote. The main constraint is the ability to send raw HTTP/2 frames. The risk is increased if the endpoint is publicly exposed and handles a large volume of HTTP/2 traffic.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| hex0punk | Link | PoC for CVE-2023-45288, continuation flood vulnerability |
What are the Available Fixes for CGA-grww-v9jg-rhw2?
Available Upgrade Options
- golang.org/x/net
- <0.23.0 → Upgrade to 0.23.0
- net/http
- <1.21.9 → Upgrade to 1.21.9
- net/http
- >1.22.0-0, <1.22.2 → Upgrade to 1.22.2
- stdlib
- <1.21.9 → Upgrade to 1.21.9
- golang.org/x/net/http2
- <0.23.0 → Upgrade to 0.23.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nowotarski.info/http2-continuation-flood-technical-details
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- http://www.openwall.com/lists/oss-security/2024/04/05/4
- https://pkg.go.dev/vuln/GO-2024-2687
- https://security.netapp.com/advisory/ntap-20240419-0009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
- https://go.dev/issue/65051
- https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
- https://go.dev/cl/576155
- https://nvd.nist.gov/vuln/detail/CVE-2023-45288
What are Similar Vulnerabilities to CGA-grww-v9jg-rhw2?
Similar Vulnerabilities: CVE-2020-1934 , CVE-2016-1000109 , CVE-2021-33190 , CVE-2021-21356 , CVE-2020-13935
