CVE-2023-32732
Denial-of-Service vulnerability in Grpc.Core (NuGet)
What is CVE-2023-32732 About?
This Denial-of-Service vulnerability in gRPC allows a client to disconnect the connection between a HTTP2 proxy and a gRPC server. It exploits a base64 encoding error for `-bin` suffixed headers, which is typically tolerated by HTTP2 proxies but not by gRPC servers. This can lead to service disruption and is relatively easy for a client to trigger.
Affected Software
- Grpc.Core
- <2.52.0
- io.grpc:grpc-protobuf
- <1.53.0
- grpcio
- <1.53.0
- grpc
- <1.53.0
Technical Details
The vulnerability arises from a discrepancy in how HTTP2 proxies and gRPC servers handle base64 encoding errors for headers suffixed with -bin. When a gRPC client sends a header with a -bin suffix that contains an invalid base64 encoding, HTTP2 proxies commonly tolerate this error and forward the request. However, the gRPC server's implementation strictly enforces correct base64 decoding for these headers. Upon encountering a base64 decoding error, the gRPC server will terminate the connection. This disparity allows a malicious client to intentionally send malformed -bin suffixed headers, which will pass through the proxy but cause the gRPC server to disconnect the specific connection, effectively creating a denial-of-service condition for that connection.
What is the Impact of CVE-2023-32732?
Successful exploitation may allow attackers to cause a denial-of-service condition by disrupting connections between HTTP2 proxies and gRPC servers, leading to communication failures and service unavailability for affected clients.
What is the Exploitability of CVE-2023-32732?
Exploitation of this vulnerability is of low complexity and requires a gRPC client. No special authentication or privilege is required, as the malicious header can be sent as part of a regular client request during communication. This is a remote exploitation scenario, where a client sends a crafted request to the vulnerable gRPC endpoint, potentially via an HTTP2 proxy. The primary special condition is sending a base64 encoding error specifically in a -bin suffixed header. The risk factors that increase exploitation likelihood include any environment where untrusted clients can send requests to a gRPC service through an HTTP2 proxy, as the proxy typically allows the malformed header to pass through, making the gRPC server vulnerable to disconnection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-32732?
Available Upgrade Options
- io.grpc:grpc-protobuf
- <1.53.0 → Upgrade to 1.53.0
- grpc
- <1.53.0 → Upgrade to 1.53.0
- Grpc.Core
- <2.52.0 → Upgrade to 2.52.0
- grpcio
- <1.53.0 → Upgrade to 1.53.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-9hxf-ppjv-w6rq
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32732.yml
- https://github.com/grpc/grpc/pull/32309
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37IDNVY5AWVH7JDMM2SDTL24ZPPZJNSY/
- https://github.com/grpc/grpc/pull/32309
- https://github.com/grpc/grpc/releases/tag/v1.53.1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VWE44J5FG7THHL7XVEVTNIGEYBNKJBLL/
- https://nvd.nist.gov/vuln/detail/CVE-2023-32732
What are Similar Vulnerabilities to CVE-2023-32732?
Similar Vulnerabilities: CVE-2023-32731 , CVE-2022-29244 , CVE-2021-39130 , CVE-2020-13693 , CVE-2019-14540
