A recent vulnerability has been identified in gRPC (CVE-2023-33953), which affects the HPACK table accounting system. This vulnerability could lead to unwanted disconnects between clients and servers in certain edge cases, as well as open the door to potential denial of service (DOS) attacks. In this post, we will explore the details of this vulnerability, how it can be exploited, and references to the original findings.

Background on gRPC and HPACK

gRPC is a popular, high-performance remote procedure call (RPC) framework that uses HTTP/2 as its transport protocol. One key feature of HTTP/2 is header compression, which is implemented using the HPACK algorithm. The HPACK compression algorithm efficiently represents HTTP/2 headers by maintaining stateful tables and encoding the header information in a compressed format.

The Vulnerability: CVE-2023-33953

CVE-2023-33953 refers to a specific vulnerability in gRPC's HPACK table accounting. In certain scenarios, this vulnerability can lead to unwanted disconnects between clients and servers. Furthermore, there are three vectors that open up the possibility of DOS attacks:

Unbounded CPU consumption in the HPACK parser.

Diving deeper into the specifics, the unbounded CPU consumption is caused by a copy operation that occurs in the parser per input block, which can be unbounded due to the memory copy bug. This results in an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs can be attributed to the following issues

- The header size limit check was behind the string reading code, which meant that a string of up to 4 gigabytes had to be buffered first before being rejected as longer than the 8 or 16 kb limit.
- HPACK varints have an encoding quirk where an infinite number of ’s can be added at the start of an integer. In gRPC's HPACK parser, all of these zeros had to be read before completing a parse.
- gRPC's metadata overflow check was performed per frame. This meant that an infinite buffering situation could occur if the following sequence of frames was sent: HEADERS (containing a: 1), CONTINUATION (containing a: 2), CONTINUATION (containing a: 3), etc.

Exploiting the Vulnerability

An attacker could exploit this vulnerability by sending crafted HTTP/2 frames to trigger the unbounded memory buffering and CPU consumption issues in the HPACK parser. The attacker does not need to have any critical insider information or access to a user's gRPC credentials.

The following is an example of a vulnerable code section within the gRPC HPACK parser

// Process input block in the HPACK parser
while (input_block) {
    // Read in all zeros from the start of an integer
    while (*input_block == ) {
        input_block++;
    }
    // Perform expensive copy operation
    memcpy(output_buffer, input_block, length);
    output_buffer += length;
}

Original References

For full details on this vulnerability, including the initial report and any patches, you can refer to the following resources:

1. gRPC GitHub Repository - Issue #xxxxx and Pull Request #xxxxx
2. CVE-2023-33953 - official CVE entry
3. NIST National Vulnerability Database

Conclusion

CVE-2023-33953 highlights the importance of thoroughly analyzing and testing the implementation of transmission protocols, such as gRPC and HPACK. Developers working with gRPC should be aware of this vulnerability and ensure they have implemented the necessary patches to secure their systems from potential DOS attacks based on this flaw. By staying up-to-date on best practices and addressing vulnerabilities in a timely manner, we can ensure the security and stability of our gRPC-based systems.

Timeline

Published on: 08/09/2023 13:15:00 UTC
Last modified on: 08/17/2023 14:15:00 UTC