Netty is a widely-used asynchronous event-driven network application framework that allows developers to create high-performance protocol servers and clients with ease. However, a recent vulnerability CVE-2024-29025 has been discovered in the handling of *chunked* POST requests, which can potentially lead to Denial of Service (DoS) attacks due to unbounded field accumulation in the HttpPostRequestDecoder.

Affected Versions

Netty versions prior to 4.1.108.Final are affected by this vulnerability.

Technical Details

The problematic handling of chunked POST requests is in the HttpPostRequestDecoder. The decoder can be configured to store file uploads on the disk temporarily, but there are no limits to the number of fields that can be submitted in a form. This means an attacker can send a chunked POST request containing many small fields, which will be accumulated in the internal bodyListHttpData list.

The HttpPostRequestDecoder cumulates bytes in the undecodedChunk buffer until it can decode a field. However, this field can accumulate data without any limits, which allows an attacker to exploit this behavior and potentially cause a Denial of Service due to resource consumption.

Code Snippet

The following code snippet from the *HttpPostRequestDecoder* class highlights how data is accumulated in the undecodedChunk buffer:

switch (this.state) {
    case SKIP_CONTROL_CHARS:
        ...
    case READ_VARIABLE_LENGTH:
        ...
    default:
        ...
}

Here, the undecodedChunk buffer is filled with the data sent by the attacker, and there is no mechanism to enforce limits on the size of the accumulated data.

Impact

This vulnerability allows an attacker to send a large number of small fields in a POST request, which will eventually consume server resources to the point where it can no longer function effectively. This can lead to a Denial of Service attack affecting availability and overall system performance.

Solution

To protect against CVE-2024-29025, users must upgrade to Netty version 4.1.108.Final or later.

Original References

Netty Project GitHub Repository: https://github.com/netty/netty
Netty Release Notes: https://netty.io/news/2021/11/30/4-1-68-Final.html
Netty HttpPostRequestDecoder Source: https://github.com/netty/netty/blob/4.1/codec-http/src/main/java/io/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java

Exploit Details

To exploit this vulnerability, an attacker can prepare a malicious POST request using the HTTP Transfer-Encoding: chunked header. Each chunk would contain a small field, and the attacker would send a large number of these chunks, potentially filling the server's memory and rendering it unusable.

Currently, there are no known public exploits targeting this vulnerability. However, system administrators and developers should treat it as a high-risk issue and promptly address it by upgrading their Netty installations to a patched version (4.1.108.Final or later).

Timeline

Published on: 03/25/2024 20:15:08 UTC
Last modified on: 03/26/2024 12:55:05 UTC