Source: cve-assign@fb.com
An issue in the Proxygen handling of HTTP2 parsing of headers/trailers can lead to a denial-of-service attack. This affects Proxygen prior to v2018.12.31.00.
Proxygen, a Facebook-developed HTTP/2 library, is vulnerable to a denial-of-service (DoS) attack due to a flaw in its header/trailer parsing. Attackers can craft malicious HTTP/2 requests to exhaust server resources, leading to service unavailability and potential disruption of critical applications. This vulnerability requires immediate patching to prevent exploitation.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP/2 request. This request contains either a large number of headers/trailers, or headers/trailers with extremely large sizes.
Step 2: Request Processing: The vulnerable Proxygen library receives and begins to parse the malicious HTTP/2 request.
Step 3: Resource Exhaustion: Due to the lack of proper input validation, the parsing routines allocate excessive memory or consume excessive CPU resources while processing the headers/trailers.
Step 4: Denial of Service: The server's resources (CPU, memory) are exhausted, leading to a denial-of-service condition. Legitimate requests are either dropped or significantly delayed, rendering the service unavailable.
The vulnerability lies within Proxygen's HTTP/2 header and trailer parsing logic. Specifically, the flaw stems from inadequate validation of the size or number of headers/trailers received in an HTTP/2 frame. An attacker can send a stream of specially crafted HTTP/2 frames with a large number of headers or trailers, or headers/trailers with excessively large sizes. This can lead to excessive memory allocation or CPU consumption within the parsing routines, eventually exhausting server resources and causing a DoS. The root cause is a lack of proper input validation and resource limiting during the parsing process, allowing an attacker to trigger an integer overflow or memory exhaustion condition. This is not a buffer overflow or code execution vulnerability, but a resource exhaustion vulnerability.
While no specific APTs are definitively linked to exploiting this vulnerability, any threat actor targeting systems using vulnerable versions of Proxygen could potentially leverage it. The ease of exploitation makes it attractive for both sophisticated and less sophisticated attackers. CISA KEV status: Not listed.
Monitor server logs for unusually high CPU usage or memory consumption, especially during periods of HTTP/2 traffic.
Analyze HTTP/2 traffic for requests with an excessive number of headers or trailers.
Implement network intrusion detection systems (IDS) rules to identify malicious HTTP/2 requests based on header/trailer characteristics (e.g., size, count).
Monitor for abnormally high connection rates or connection failures related to HTTP/2 traffic.
Upgrade Proxygen to version v2018.12.31.00 or later.
Implement rate limiting and resource limits on HTTP/2 connections to prevent excessive resource consumption.
Configure web servers and reverse proxies to filter or block requests with an excessive number of headers or large header sizes.
Regularly update all dependencies, including Proxygen, to address security vulnerabilities.
Implement a Web Application Firewall (WAF) to filter malicious HTTP/2 requests.