nghttp2 Temporarily Buffers Incoming Headers to Prevent Memory Exhaustion
CVE-2024-27316

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Http Server
Vendor
CVE Published:
4 April 2024

Badges

📈 Score: 182👾 Exploit Exists🟡 Public PoC🟣 EPSS 86%

What is CVE-2024-27316?

CVE-2024-27316 is a vulnerability identified in the nghttp2 library, used by various software applications for HTTP/2 communication. This library is maintained by Apache and facilitates efficient data transmission between servers and clients. The vulnerability arises from the library's handling of incoming HTTP/2 headers, where excessive headers can lead to a scenario of memory exhaustion. This situation can be detrimental for organizations as it may result in denial of service, impacting the availability of applications and systems reliant on the nghttp2 library.

Technical Details

The vulnerability occurs when the nghttp2 library buffers incoming HTTP/2 headers that exceed a predefined size limit. In attempting to generate a proper response to clients who send too many headers, nghttp2 temporarily allocates memory. If the client continues to send excessive headers without ceasing, it can lead to significant memory consumption, ultimately exhausting the available memory resources on the server hosting the application. This mishandling opens the door for potential denial of service attacks, where legitimate users may be unable to access services due to system unavailability.

Potential Impact of CVE-2024-27316

  1. Denial of Service (DoS): The primary concern is the potential for memory exhaustion, which can cause the affected server or application to become unresponsive. This impacts user access and can halt business-critical operations.

  2. Loss of Availability: With the server strained and unable to process legitimate requests, organizations may face downtime, affecting both internal operations and customer-facing services.

  3. Increased Operational Costs: Organizations may incur additional costs associated with incident response efforts, remediation, and potential loss of revenue due to service outages. Furthermore, prolonged vulnerabilities can lead to long-term damage to reputation and trust among clients and users.

Affected Version(s)

Apache HTTP Server 2.4.17 <= 2.4.58

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-27316
Created by lockness-Ko

References

https://httpd.apache.org/security/vulnerabilities_24.html
vendor-advisory
https://www.openwall.com/lists/oss-security/2024/04/03/16
http://www.openwall.com/lists/oss-security/2024/04/04/4

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

Credit

Bartek Nowotarski (https://nowotarski.info/)
.
CVE-2024-27316 : nghttp2 Temporarily Buffers Incoming Headers to Prevent Memory Exhaustion