Mastodawn

The DefendOps Diaries Apr 23, 2025

A critical flaw in server management software now lets hackers bypass key security measures – could this vulnerability leave your servers wide open to attack? Find out how a new discovery is shaking up cybersecurity.

https://thedefendopsdiaries.com/understanding-and-mitigating-cve-2024-54085-a-critical-bmc-vulnerability/

#cve202454085
#bmcsecurity
#servervulnerability
#authenticationbypass
#cybersecurity

🛡 [email protected]/:~#

Apr 5, 2024

HTTP/2 CONTINUATION Flood Vulnerability Analysis

Date: April 3, 2024
CVE: N/A
Vulnerability Type: CWE-400 (Resource Exhaustion)
CWE: [[CWE-400]]
Sources: nowotarski.info

Issue Summary

The CONTINUATION Flood vulnerability exploits a flaw in [[HTTP2 protocol]] implementations, causing server resource exhaustion. Identified by Bartek Nowotarski, it demonstrates a significant threat as it allows attackers to disrupt server availability with minimal resources. Unlike traditional attacks, this method is not visible in HTTP access logs, complicating detection and mitigation efforts.

Technical Key findings

Attackers initiate an infinite stream of CONTINUATION frames without the END_HEADERS flag, leading servers to allocate excessive resources for processing, resulting in CPU exhaustion or memory depletion. This vulnerability has been observed across various HTTP/2 implementations, including major servers like [[Apache]] and [[Node.js]]. The flaw's severity is amplified by its low detection rate, as affected requests do not appear in access logs.

Vulnerable products

Affected projects and products include [[Apache httpd]], [[Envoy]], and various HTTP/2 libraries, particularly in languages like [[Golang]], [[Ruby]], and [[Node.js]]. The vulnerability spans across implementations, affecting a broad range of servers utilizing HTTP/2.

Impact assessment

The CONTINUATION Flood vulnerability can severely impact server performance and availability. In extreme cases, it can crash servers or lead to a complete denial of service with minimal attacker effort. Its undetectability in standard logging mechanisms further complicates mitigation, potentially allowing attackers to exploit this vulnerability without immediate detection.

Patches or workaround

As of the reporting date, specific patches or workarounds were not mentioned. However, standard mitigation strategies for similar vulnerabilities include updating affected software, limiting frame sizes, and employing timeouts for incomplete header frame sequences.

Tags

#HTTP/2, #DoS, #ResourceExhaustion, #ServerVulnerability, #SecurityPatch

HTTP/2 `CONTINUATION` Flood: Technical Details

Preface In October 2023 I learnt about HTTP/2 Rapid Reset attack, dubbed “the largest DDoS attack to date”. I didn’t have deep knowledge of HTTP/2 back then. I knew it’s basics like frames or HPACK but I was focusing more on HTTP/1.1 protocol and programming languages vulnerabilities. I decided to dedicate time to exploring HTTP/2 from a security analysis perspective after concluding my then-current research. A quick intro to HTTP/2 The main difference between HTTP/1.