|nghttpd is a multi-threaded static web server. nghttpd only accepts HTTP/2 connections via NPN/ALPN or direct HTTP/2 connections. No HTTP upgrade is supported.HTTP2 Settings frame of HTTP2 protocol causes the attacker to make the server unavailable. The use of Node.js is rising and this vulnerability could result in denial of service in node.js which is considered to be a serious problem.|
|More Details :
|The overly large HTTP/2 SETTINGS frame payload causes a denial of service. This vulnerability is due to improper input neutralization in nghttp2. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.HTTP2 settings are header frames with minimal valid value is empty string otherwise a base64url payload encoded and that can be sent without any limit which helps the attacker to make a DOS attack.|
|Proof of Concept :
Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.