CVE-2024-28182: Addressing Excessive CPU Usage in nghttp2 due to Unbounded Number of HTTP/2 CONTINUATION Frames

In the world of web programming, the nghttp2 library plays a crucial role as it is an implementation of the Hypertext Transfer Protocol version 2 (HTTP/2) in the C programming language. However, the library has a vulnerability (CVE-2024-28182) that was identified in versions prior to 1.61.. This blog post aims to provide an in-depth understanding of the vulnerability, its impact, and how developers can mitigate the risks posed by the vulnerability.

To set the stage, let's first understand what the vulnerability is all about. The nghttp2 library, when operating within certain conditions, can cause excessive CPU usage. This is attributed to the library continuing to read an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset. As a result, the HPACK context must be kept synced by decoding the HPACK stream, which consumes a larger amount of CPU resources.

The discovery of this vulnerability triggered the release of nghttp2 v1.61. which mitigates the issue by limiting the number of CONTINUATION frames it accepts per stream. As there is no workaround available for this vulnerability, it is crucial to understand how the mitigation was implemented.

The following is a simple code snippet that demonstrates the vulnerability. The nghttp2_submit_request function creates and submits a request with the specified HTTP/2 CONTINUATION frames:

nghttp2_submit_request(session, &pri_spec, nva, nvlen,
                       data_prd, stream_data);

Now let's take a look at how the vulnerability was mitigated in version 1.61.. The nghttp2 library introduced a limit to the CONTINUATION frames allowed per stream by adding the max_rx_cap on the nghttp2_settings struct:

typedef struct {
  uint8_t window_bits;
  uint32_t max_concurrent_streams;
  uint32_t max_rx_cap;
} nghttp2_settings;

This allows developers to easily limit the maximum number of CONTINUATION frames that can affect any single stream. In cases where the limit is reached, the vulnerability is no longer exploited.

The mitigation of CVE-2024-28182 is significant and essential for web applications that utilize the nghttp2 library. Developers using this library must be aware of this vulnerability and act accordingly. Those using the library in versions prior to 1.61. should update immediately to mitigate the risk.

For a more detailed understanding of this vulnerability and its impact, refer to the original references:
- nghttp2 GitHub Repository
- CVE-2024-28182 Details

In conclusion, it is crucial for developers using the nghttp2 library to remain vigilant when it comes to addressing vulnerabilities, and to take all necessary actions to secure software systems from exploitation. Ensuring that you are using the latest version of the library, along with understanding the risks posed by vulnerabilities, is key to preventing adverse consequences to your systems.

Timeline

Published on: 04/04/2024 15:15:38 UTC
Last modified on: 05/01/2024 18:15:17 UTC