Source: cve-assign@fb.com
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
HHVM (HipHop Virtual Machine), a PHP runtime environment, is vulnerable to a denial-of-service (DoS) attack. A crafted HTTP/2 frame with malformed priority metadata can trigger an std::out_of_range exception, causing the server to crash and become unavailable. This impacts all supported versions of HHVM using the proxygen server for HTTP/2 request handling.
Step 1: Payload Delivery: An attacker crafts a malicious HTTP/2 frame. This frame contains a malformed priority metadata section. The malformation can involve invalid priority values, incorrect data lengths, or an unexpected data format for the priority information.
Step 2: Frame Reception: The vulnerable HHVM instance, using the proxygen server, receives the crafted HTTP/2 frame.
Step 3: Parsing & Processing: The proxygen server's HTTP/2 frame parsing logic attempts to process the priority metadata.
Step 4: Exception Trigger: Due to the malformed data, the parsing logic attempts to access memory outside the allocated bounds, triggering the std::out_of_range exception.
Step 5: Denial of Service: The unhandled exception causes the HHVM process to crash, resulting in a denial-of-service condition.
The vulnerability lies within HHVM's handling of HTTP/2 priority metadata within the proxygen server. Specifically, the parsing logic for priority information in a malformed HTTP/2 frame is flawed. When the server receives a frame with invalid priority data, such as out-of-bounds values or an unexpected format, the parsing code attempts to access memory outside the allocated range, leading to an std::out_of_range exception. This exception, if unhandled, causes the HHVM process to terminate, resulting in a DoS condition. The root cause is a lack of proper input validation and bounds checking when parsing the priority metadata. The specific function or logic flaw is likely within the proxygen server's HTTP/2 frame parsing code, where it attempts to access an array or data structure using an index derived from the malformed priority data without validating the index's bounds. This is not a buffer overflow or race condition, but a memory access violation due to incorrect bounds checking.
There is no specific APT or malware directly linked to this CVE in public reports. However, any threat actor targeting web servers could potentially exploit this vulnerability. This CVE is not listed in the CISA KEV catalog.
Monitor HHVM server logs for std::out_of_range exceptions or other error messages related to HTTP/2 frame parsing.
Analyze network traffic for unusual HTTP/2 frames, particularly those with malformed priority metadata. Tools like Wireshark can be used to inspect HTTP/2 frames.
Implement intrusion detection systems (IDS) with rules that specifically look for malformed HTTP/2 frames or suspicious HTTP/2 traffic patterns.
Monitor server resource usage (CPU, memory) for sudden spikes or drops, which could indicate a DoS attack.
Upgrade to a patched version of HHVM (3.25.3, 3.24.7, 3.21.11 or later).
Implement a Web Application Firewall (WAF) to filter and block malicious HTTP/2 traffic. Configure the WAF to inspect and validate HTTP/2 frames, specifically focusing on priority metadata.
Regularly update and patch the HHVM installation to address security vulnerabilities.
Implement rate limiting to restrict the number of HTTP/2 requests from a single source within a given time period. This can mitigate the impact of a DoS attack.
Ensure proper error handling within the HHVM code, specifically within the proxygen server's HTTP/2 parsing logic. Implement checks to validate the priority metadata and prevent out-of-bounds memory access.
Monitor the server for any unusual activity and implement a robust logging and alerting system.