Listen to this Post
The vulnerability exploits a design flaw in the HTTP/2 protocol’s stream management. The server maintains a counter for active streams, limited by SETTINGS_MAX_CONCURRENT_STREAMS (typically 100). An attacker sends a valid request and then a malformed control frame (e.g., a WINDOW_UPDATE with an increment of 0). This forces the server to send a RST_STREAM frame to reset the connection. The protocol immediately decrements the active stream counter, but the server’s backend may continue processing the canceled request. By rapidly repeating this request-then-reset cycle, an attacker can create an unbounded number of streams on a single connection, bypassing the concurrency limit. This leads to resource exhaustion (CPU/Memory) on the server, causing a Denial-of-Service. It differs from Rapid Reset as it triggers the server to send the reset, not the client, bypassing client-side RST_STREAM rate limits.
Platform: HTTP/2 Servers
Version: Multiple Implementations
Vulnerability: DDoS
Severity: Critical
date: 2023-10-10
Prediction: 2023-11-15
What Undercode Say:
Crafting a malicious WINDOW_UPDATE frame with h2i echo -e "GET / HTTP/1.1\n\n" | h2i example.com Select a stream ID send WINDOW_UPDATE 1 --increment=0
// Example of a malicious zero-increment WINDOW_UPDATE frame
unsigned char malformed_frame[] = {
0x00, 0x00, 0x04, // Length: 4 bytes
0x08, // Type: WINDOW_UPDATE (8)
0x00, // Flags: None
0x00, 0x00, 0x01, // Stream Identifier: 1
0x00, 0x00, 0x00, 0x00 // Window Size Increment: 0 (Invalid)
};
How Exploit:
Send request, trigger server reset, exhaust resources.
Protection from this CVE
Patch implementations, limit server RST_STREAM rate, treat flow errors as connection errors, disable HTTP/2.
Impact:
CPU/Memory Exhaustion, DDoS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
