Deep Drill Down into Denial of service in nodejs webserver module nghttp2

Overview :
nghttpd is a multi-threaded static web server. nghttpd only accepts HTTP/2 connections via NPN/ALPN or direct HTTP/2 connections. No HTTP upgrade is supported.HTTP2 Settings frame of HTTP2 protocol causes the attacker to make the server unavailable. The use of Node.js is rising and this vulnerability could result in denial of service in node.js which is considered to be a serious problem.
More Details :
The overly large HTTP/2 SETTINGS frame payload causes a denial of service. This vulnerability is due to improper input neutralization in nghttp2. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.HTTP2 settings are header frames with minimal valid value is empty string otherwise a base64url payload encoded and that can be sent without any limit which helps the attacker to make a DOS attack.
Proof of Concept :
Steps to reproduce : Step by step approach how the attack performed
1. Selected Ubuntu 16.04 LTS (Xenial Xerus) as an operating system and downloaded the required packages for setting up the vulnerable server.

2. Build and run the vulnerable nghttpd server.

3. H2load, a benchmarking tool is used for executing the DOS attack and is done by crafting a payload of SETTINGS frames greater in length which is of 14,440bytes and sending over and over again causing nghttpd server to crash.

Fig 1: H2load command for launching attack

4. Analyzing system CPU usage during denial of service attack.

Fig 2: System statistics while being attacked

5. Connection timed out while connecting to the server in the Firefox browser of the host machine.

Fig 3: Browser output during the attacking phase

Difficulties that have been faced during the test are to select the right tool to execute the attack and various tools such as curl, nghttp are used. Finally, h2load came in to help for checking the vulnerability specified.HTTP2 is a new protocol and still, it is in a research phase and still vulnerable to many attackers.

Workaround:

Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Fix:
Upgrade to version 1.41.0

Security Risk:
An attacker is potentially able to execute DOS attack remotely, the risk is estimated as medium.

References:
https://nghttp2.org/documentation/package_README.html
https://nghttp2.org/documentation/h2load-howto.html?highlight=h2load
https://dzone.com/articles/understanding-http2
https://tools.ietf.org/html/rfc7540

Details:
Product: nghttp2
Affected Versions: < 1.41.0
Fixed Versions: 1.41.0
Severity: medium
CVE: CVE-2020-11080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-53490 : CLOUDFAVORITES FAVORITES-WEB 1.3.0 SECURITYFILTER.JAVA PATH TRAVERSAL

CVE-2024-53490 : CLOUDFAVORITES FAVORITES-WEB 1.3.0 SECURITYFILTER.JAVA PATH TRAVERSAL

Description Favorites-web 1.3.0 favorites-web has a directory traversal vulnerability in SecurityFilter.java. References https://github.com/DYX217/directory-traversal For More Information CVERecord

CVE-2024-54679 : CYBERPANEL RESTARTMYSQL DENIAL OF SERVICE

CVE-2024-54679 : CYBERPANEL RESTARTMYSQL DENIAL OF SERVICE

Description CyberPanel (aka Cyber Panel) before 6778ad1 does not require the FilemanagerAdmin capability for restartMySQL actions. References https://github.com/usmannasir/cyberpanel/commit/6778ad1eaae41f72365da8fd021f9a60369600dc For More

CVE-2024-38829 : VMWARE SPRING LDAP UP TO 2.4.3/3.0.9/3.1.7/3.2.7 STRING.TOLOWERCASE/STRING.TOUPPERCASE CASE SENSITIVITY

CVE-2024-38829 : VMWARE SPRING LDAP UP TO 2.4.3/3.0.9/3.1.7/3.2.7 STRING.TOLOWERCASE/STRING.TOUPPERCASE CASE SENSITIVITY

Description A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons. This issue affects Spring LDAP: