Project

General

Profile

Actions
Copy link

Security #5926

closed
PA PA

http2: evasion by splitting header fields over frames

Security #5926: http2: evasion by splitting header fields over frames

Added by Philippe Antoine about 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-24568
Git IDs:

aff54f29f8c3f583ae0524a661aa90dc7a2d3f92

Severity:
HIGH
Disclosure Date:

Description

Beginning in a headers frame, and continuing in so-called continuation frames, with reassembly needed to be done...

Then, we need to avoid quadratic complexity of Huffman decoding as golang CVE 2023-1571

Files

cont.pcap (2.53 KB) cont.pcap Philippe Antoine, 12/19/2023 08:33 PM

Subtasks 2 (0 open2 closed)

Security #6717: http2: evasion by splitting header fields over frames (7.0.x backport)ClosedPhilippe AntoineActions
Security #6751: http2: evasion by splitting header fields over frames (6.0.x backport)ClosedPhilippe AntoineActions

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #1

  • Target version changed from TBD to 8.0.0-beta1

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #2

  • Priority changed from Normal to Low

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #3

Attaching a sample pcap

There should be no anomaly and we should have the request header namenamenamenamenamenamenamenamenamename: valuevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevalue

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #4

  • Tracker changed from Bug to Security
  • Severity set to MODERATE

Evasion is a security issue, right ? Which severity ?
An attacker can hide its HTTP2 headers to Suricata now...

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #5

  • Priority changed from Low to Normal

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #6

  • Status changed from New to In Review

Gitlab MR

JI Updated by Jason Ish about 2 years ago Actions
Copy link
 #7

Philippe: Are backports required?

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #8

Jason Ish wrote in #note-7:

Philippe: Are backports required?

I guess so.

That depends if this is assessed a security issue versus an evasion or a feature...

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #9

  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #10

  • Subtask #6717 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #11

  • Label deleted (Needs backport to 7.0)

JI Updated by Jason Ish about 2 years ago Actions
Copy link
 #12

  • Label Needs backport to 6.0 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #13

  • Subtask #6751 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #14

  • Label deleted (Needs backport to 6.0)

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #15

  • CVE set to 2024-24568

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #16

  • Status changed from In Review to Closed
  • Git IDs updated (diff)

PA Updated by Philippe Antoine about 2 years ago Actions
Copy link
 #17

  • Severity changed from MODERATE to HIGH

not critical because does not fit

evasions with a wide scope are considered to be in-scope

But High as Tier 1

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #18

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom