CVE-2024-36387 - WebSocket Protocol Upgrades over HTTP/2 leading to Null Pointer Dereference and Server Process Crash

A recent vulnerability has been discovered in the way some server implementations handle WebSocket protocol upgrades over an HTTP/2 connection. This vulnerability, assigned CVE-2024-36387, can lead to a Null Pointer Dereference (NPD) crash of the server process, and subsequently degrade the performance of the system. In this post, we will provide a detailed explanation of the vulnerability, a code snippet demonstrating the issue, links to original references, and information on potential exploit scenarios.

Vulnerability Details

A Null Pointer Dereference (NPD) is a type of software bug that occurs when a program attempts to access or manipulate memory through a pointer whose value is NULL. In the context of CVE-2024-36387, misconfigured servers handling WebSocket protocol upgrades over HTTP/2 connections may be vulnerable to this issue.

When a server receives a WebSocket upgrade request, it needs to switch its communication protocol from HTTP to WebSocket. However, due to the lack of proper validation and handling during the upgrade process in some server implementations, this can cause a NULL pointer to be dereferenced.

The issue arises when a server is serving the WebSocket upgrade requests over an HTTP/2 connection, as the underlying data structure representing the connection state may be improperly managed, leading to a NULL pointer. As a consequence, the server process may crash, impacting its performance and potentially affecting other services running on the same system.

Code Snippet

The following code snippet is a simplified example of a vulnerable server implementation that causes an NPD when handling WebSocket protocol upgrades over HTTP/2 connections:

// Server implementation example
void handle_websocket_upgrade(http_request *req) {
    if (req->connection_state->protocol_version == HTTP2) {
        // Perform WebSocket upgrade over HTTP/2
        http2_stream *stream = req->connection_state->active_stream;
        if (!stream) {
            // ERROR: stream is NULL
            handle_error("NULL pointer dereference");
        }

        // ... Upgrade WebSocket protocol
    } else {
        // ... Handle WebSocket upgrade for HTTP/1.x
    }
}

In the above example, the server attempts to access the active_stream field of the connection_state structure for an HTTP/2 connection. However, if the active_stream is NULL, the server will crash due to an NPD.

Further information on this vulnerability can be found in the following original references

1. National Vulnerability Database (NVD) - CVE-2024-36387
2. Common Vulnerabilities and Exposures (CVE) - CVE-2024-36387
3. Vulnerability Report - CVE-2024-36387

Exploit Scenarios

This vulnerability may be exploited in scenarios where an attacker has control over the WebSocket upgrade request and can cause the server to switch to an HTTP/2 connection. By doing so, they can trigger an NPD in the server process, causing it to crash and degrade the performance of the system.

In severe cases, exploiting this vulnerability might lead to a Denial-of-Service (DoS) attack, rendering the affected server inaccessible for legitimate users. Moreover, repeated exploitation attempts may cause increased resource consumption on the system, impacting co-located services and causing a significant degradation of system performance.

Conclusion

CVE-2024-36387 is a critical vulnerability in some server implementations handling WebSocket protocol upgrades over HTTP/2 connections. A thorough understanding and proper validation during the WebSocket upgrade process are crucial for preventing NULL pointer dereferences and ensuring the stability and performance of the server.

It is highly recommended to follow best practices for protocol upgrade handling and to apply patches provided by your server vendor or implement the necessary changes to address this vulnerability. Additionally, continuously monitoring and analyzing server logs for suspicious activities can aid in identifying potential exploit attempts.

Timeline

Published on: 07/01/2024 19:15:03 UTC
Last modified on: 07/12/2024 14:15:11 UTC