Source: cve-assign@fb.com
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 priority settings (specifically a circular dependency). This affects Proxygen prior to v2018.12.31.00.
Proxygen, a Facebook-developed HTTP proxy, is vulnerable to a denial-of-service (DoS) attack due to improper handling of HTTP/2 priority settings. Attackers can exploit this flaw by sending specially crafted HTTP/2 requests, leading to a circular dependency within the priority calculation logic, ultimately causing the proxy to consume excessive resources and become unresponsive, effectively rendering it unusable.
Step 1: Target Identification: The attacker identifies a target system using Proxygen (or a system using Proxygen as a component).
Step 2: Crafting the Malicious Request: The attacker constructs a malicious HTTP/2 request. This request includes HTTP/2 PRIORITY frames designed to create a circular dependency between streams. The priority settings are crafted to make stream A depend on stream B, stream B depend on stream C, and stream C depend on stream A.
Step 3: Request Delivery: The attacker sends the crafted HTTP/2 request to the vulnerable Proxygen instance.
Step 4: Priority Graph Processing: Proxygen receives the request and begins processing the HTTP/2 PRIORITY frames. It attempts to build a stream prioritization graph based on the provided settings.
Step 5: Circular Dependency Detection Failure: Due to the vulnerability, Proxygen fails to detect the circular dependency within the priority graph.
Step 6: Resource Exhaustion: Proxygen enters an infinite loop or consumes excessive CPU cycles while trying to resolve the circular dependencies. This leads to high CPU utilization and resource exhaustion.
Step 7: Denial of Service: The Proxygen instance becomes unresponsive, unable to process legitimate requests, effectively resulting in a denial-of-service condition.
The vulnerability stems from a flaw in Proxygen's handling of HTTP/2 priority frames. Specifically, the code fails to properly validate and prevent the creation of a circular dependency within the stream prioritization graph. When an attacker crafts HTTP/2 priority settings that establish a circular relationship between streams (e.g., stream A depends on B, B depends on C, and C depends on A), the proxy enters an infinite loop or consumes excessive CPU cycles while attempting to resolve the dependencies. This leads to a denial-of-service condition. The root cause is a lack of proper input validation and cycle detection within the priority calculation algorithm, allowing malicious actors to manipulate the stream prioritization graph and trigger resource exhaustion. This is not a memory corruption vulnerability like a buffer overflow or use-after-free, but rather a logic error that leads to a denial of service.
There is no specific APT group known to be actively exploiting this vulnerability. However, any threat actor with the capability to craft HTTP/2 requests could potentially leverage this vulnerability for DoS attacks. The impact is a denial of service, which is a common tactic. This vulnerability is not listed on the CISA KEV.
High CPU utilization on the Proxygen server.
Unusually long response times for HTTP/2 requests.
Network traffic analysis revealing a high volume of HTTP/2 PRIORITY frames.
Examination of Proxygen logs for error messages related to stream prioritization or excessive resource consumption.
IDS/IPS rules that detect malicious HTTP/2 PRIORITY frame patterns (e.g., circular dependencies).
Upgrade Proxygen to version 2018.12.31.00 or later.
Implement a Web Application Firewall (WAF) with HTTP/2 inspection capabilities to filter malicious requests.
Monitor Proxygen server resource usage (CPU, memory, network) and set up alerts for anomalies.
Implement rate limiting to restrict the number of HTTP/2 requests from a single source.
Regularly review and update security configurations and patches.