CVE-2023-45802: Understanding the HTTP/2 Stream Reset Memory Exhaustion Vulnerability

A new vulnerability, dubbed CVE-2023-45802, has been discovered that affects HTTP/2 connections, which could lead to memory exhaustion and potentially denial of service (DoS) attacks. It is important for developers and system administrators to be aware of this issue and update their systems accordingly. This article will provide a detailed explanation of the vulnerability, a code snippet to demonstrate the issue, links to original references, and information on the exploit and how to fix the issue.

Details

CVE-2023-45802 was identified when a researcher was testing the CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their custom test client. They found that when a HTTP/2 stream was reset (RST frame) by a client, there was a period of time during which the request's memory resources were not immediately reclaimed. Instead, the memory de-allocation was deferred until the connection was closed.

This means that a malicious client could send numerous requests and resets, keeping the connection busy and open, causing the memory footprint to continually increase. Although the resources would be reclaimed upon closing the connection or when it times out, there is the possibility of the process running out of memory before that happens.

Under typical use of HTTP/2, encountering this vulnerability is unlikely, as the amount of memory retained would not become noticeable before a connection closes or times out. Nonetheless, it is essential to address this vulnerability and prevent potential exploitation.

Imagine an HTTP/2 client sending a series of requests like the following

-> HEADERS (New request)
<- (Server processes request)
-> RST_STREAM (Client resets the stream)

This sequence would cause memory to not be freed until the connection is closed, resulting in memory exhaustion.

References

- CVE-2023-44487: HTTP/2 Rapid Reset Exploit
- HTTP/2 Specification: Stream Reset (RST_STREAM frame)

Exploit Details

An attacker could exploit this vulnerability to exhaust available memory resources on the server by opening HTTP/2 connections, sending new requests and resets, and keeping the connection open. This may lead to denial of service (DoS) impacts on the affected systems.

Fix:

To address this vulnerability, it is recommended that users upgrade their systems to version 2.4.58, which includes a fix for the issue. The fix ensures that memory resources are immediately reclaimed when a request is reset by a client, eliminating the potential for memory exhaustion.

Conclusion

CVE-2023-45802 is a vulnerability in HTTP/2 connections that could result in memory exhaustion and denial of service (DoS) attacks. While it may not commonly be encountered during normal use of HTTP/2, it is crucial to be aware of it and update affected systems. By upgrading to version 2.4.58, users can eliminate this vulnerability and protect their systems from potential exploit.

Timeline

Published on: 10/23/2023 07:15:11 UTC
Last modified on: 11/07/2023 05:15:13 UTC