CVE-2024-2660
Denial of Service vulnerability in vault (Go)
What is CVE-2024-2660 About?
This vulnerability in Apache Thrift allows malicious RPC clients to trigger oversized memory allocations. This can lead to a denial of service, making the system unavailable to legitimate users. Exploitation is relatively easy as it involves sending specially crafted short messages.
Affected Software
Technical Details
The vulnerability exists in Apache Thrift versions 0.9.3 to 0.13.0. Malicious RPC clients can craft and send short RPC messages that, when processed by the server, cause a disproportionately large memory allocation. This can occur due to improper handling of certain message structures or parameters that influence memory reservation without adequate validation of message size or content before allocation. The large memory allocation consumes system resources, leading to resource exhaustion and ultimately a denial of service, preventing the Thrift server from processing legitimate requests. The attack vector is the RPC communication channel itself, where an attacker sends crafted messages.
What is the Impact of CVE-2024-2660?
Successful exploitation may allow attackers to disrupt service availability, cause system instability, and lead to resource exhaustion, effectively preventing legitimate users from accessing the application or service.
What is the Exploitability of CVE-2024-2660?
Exploitation of this vulnerability is considered low to medium complexity, requiring an attacker to send specially crafted RPC messages to the vulnerable server. There are no specific authentication or privilege requirements to trigger the vulnerability, as RPC clients typically interact with the service endpoint directly. This is a remote exploitation scenario. The primary risk factor that increases exploitation likelihood is the direct exposure of the Apache Thrift service to untrusted networks or clients, combined with insufficient input validation mechanisms within the RPC message processing logic.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-2660?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.16.0 → Upgrade to 1.16.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573
- https://security.netapp.com/advisory/ntap-20240524-0007
- https://github.com/hashicorp/vault
- https://osv.dev/vulnerability/GHSA-j2rp-gmqv-frhv
- https://osv.dev/vulnerability/GO-2024-2690
- https://nvd.nist.gov/vuln/detail/CVE-2024-2660
- https://security.netapp.com/advisory/ntap-20240524-0007/
- https://github.com/advisories/GHSA-j2rp-gmqv-frhv
- https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573
What are Similar Vulnerabilities to CVE-2024-2660?
Similar Vulnerabilities: CVE-2021-39148 , CVE-2022-26279 , CVE-2023-38546 , CVE-2021-35560 , CVE-2021-29471
