Attacker can exploit excessive header data to overwhelm HTTP/2 endpoint
CVE-2023-45288

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/http; Golang.org/x/net/http2
Vendor: CVE Published:; 4 April 2024

Badges

📈 Trended📈 Score: 4,900👾 Exploit Exists🟡 Public PoC🟣 EPSS 66%

What is CVE-2023-45288?

CVE-2023-45288 is a significant vulnerability affecting the Go Standard Library's HTTP/2 implementation. This library serves as a foundational component for handling network communications in various applications. The vulnerability allows attackers to exploit the way excessive header data is processed, potentially overwhelming HTTP/2 endpoints. If left unaddressed, this issue can lead to service disruptions and performance degradation for organizations that rely on Go-based applications, particularly those interacting with numerous HTTP/2 requests.

Technical Details

The vulnerability arises from an attacker’s ability to send a large number of CONTINUATION frames to an HTTP/2 endpoint. When the request's header exceeds a specified limit, known as MaxHeaderBytes, the system does not allocate memory for the excess but continues to parse all incoming header data. This approach can lead to the processing of arbitrary amounts of header data, essentially overwhelming the endpoint while ensuring that the request is eventually rejected. The vulnerability is particularly concerning due to the potential for attackers to send Huffman-encoded headers, which require considerable resources for decoding by the receiver.

Impact of the Vulnerability

Denial of Service (DoS): The vulnerability can facilitate denial of service attacks, whereby attackers exhaust server resources, overwhelming the HTTP/2 endpoint and potentially causing crashes or severe performance issues.
Resource Exhaustion: By forcing the server to process excessive header data, this vulnerability can lead to high CPU and memory usage, affecting the performance of not only the targeted application but also potentially impacting other services running on the same infrastructure.
Increased Attack Surface: With the ability to manipulate HTTP/2 headers, this vulnerability may be leveraged as part of a broader attack strategy, potentially leading to further exploitations, including data exfiltration or compromise of sensitive information.

Affected Version(s)

golang.org/x/net/http2 0 < 0.23.0

net/http 0 < 1.21.9

net/http 1.22.0-0 < 1.22.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cont-flood-poc
Created by hex0punk

References

https://go.dev/issue/65051

https://go.dev/cl/576155

https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M

EPSS Score

66% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 12, 2024
👾
Exploit known to exist
Apr 12, 2024
📈
Vulnerability started trending
Apr 6, 2024
Vulnerability published
Apr 4, 2024

Credit

Bartek Nowotarski (https://nowotarski.info/)