Closed Bug 1881183 (CVE-2024-3302) Opened 1 year ago Closed 11 months ago

[VU#421644] Possible OOM DOS attack via Http2 CONTINUATION frames

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 125+ fixed
firefox124 --- wontfix
firefox125 + fixed
firefox126 + fixed

People

(Reporter: jesup, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [embargo while bug 1881164 is][necko-triaged][necko-priority-queue][adv-main125+][adv-esr115.10+])

Attachments

(7 files)

Bug 1881183 - Migrate network_http_max_response_header_size to static prefs, r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1881183 - Avoid allocating too much memory when receiving CONTINUATION frame, r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1881183 - Migrate network_http_max_response_header_size to static prefs, r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
Bug 1881183 - Avoid allocating too much memory when receiving CONTINUATION frame, r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
Bug 1881183 - Migrate network_http_max_response_header_size to static prefs, r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1881183 - Avoid allocating too much memory when receiving CONTINUATION frame, r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
248 bytes, text/plain
Details

There's no limit on the number of Continuation Header frames we'll append to a header, even past the maximum size. This could be leveraged by an evil server to OOM a client. There may be a few variations; see the linked bug.

Whiteboard: [necko-triaged][necko-priority-new] → [embargo while bug 1881164 is][necko-triaged][necko-priority-new]
Whiteboard: [embargo while bug 1881164 is][necko-triaged][necko-priority-new] → [embargo while bug 1881164 is][necko-triaged][necko-priority-queue]
Assignee: nobody → kershaw

I suggest that we could utilize the existing preference (network.http.max_response_header_size, set at 384K) as the maximum limit for the size of received headers in HTTP/2. When reviewing the telemetry probe data, it appears that the value of mAggregatedHeaderSize is smaller than this limit, indicating that the 384K limit should be fine.

Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8569d595f6ef Migrate network_http_max_response_header_size to static prefs, r=necko-reviewers,valentin https://hg.mozilla.org/integration/autoland/rev/b46491dc7c5a Avoid allocating too much memory when receiving CONTINUATION frame, r=necko-reviewers,valentin

https://hg.mozilla.org/mozilla-central/rev/8569d595f6ef
https://hg.mozilla.org/mozilla-central/rev/b46491dc7c5a

Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch

Does this need backport? It grafts cleanly to all branches.

status-firefox124: --- → wontfix
status-firefox125: --- → affected
status-firefox-esr115: --- → affected
Flags: needinfo?(kershaw)
Flags: in-testsuite+

(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)

Does this need backport? It grafts cleanly to all branches.

Thanks for asking.
I think it's fine to let this ride the train, since this is a sec-low issue.

Flags: needinfo?(kershaw)

The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox125 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(kershaw)
status-firefox125: affectedwontfix
Flags: needinfo?(kershaw)

(In reply to Kershaw Chang [:kershaw] from comment #7)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)

Does this need backport? It grafts cleanly to all branches.

Thanks for asking.
I think it's fine to let this ride the train, since this is a sec-low issue.

It may be a "safe crash" kind of annoyance, but it's also a potentially high-profile cross-industry that is already getting attention. CERT is bugging everyone for status on whether their company is affected. Not just software companies who write networking code, but generally whether their companies are running any of the known affected software from other vendors. It's going to be on government checklists where companies selling services to the gov't have to attest their software is not vulnerable, and several vendors are selling things based on stable Linux distros with ESR Firefox.

We're treating this as "sec-low" because users can recover and then stay away from the asshole server that's crashing them. This is being treated as "sec-high" or close to it by most companies who need to keep their servers running or they are losing buckets of money and customer good will.

We need to ship this on ESR-115. We might as well ship it in Fx125 so we don't undercut any good messaging we got out of how quickly we were able to respond to the Pwn2Own exploit.

status-firefox125: wontfixaffected
status-firefox-esr115: wontfixaffected
tracking-firefox125: --- → ?
tracking-firefox-esr115: --- → ?
Summary: Possible OOM DOS attack via Http2 CONTINUATION frames → [VU#421644] Possible OOM DOS attack via Http2 CONTINUATION frames

We definitely should not have checked tests in during the embargo period. Catching some heat for that

assigning CVE-2024-3302 to our implementation's instance of this flaw.

Alias: CVE-2024-3302

Valentin, can you please nominate this for uplift since Kershaw is on PTO?

tracking-firefox125: ?+
tracking-firefox126: --- → +
tracking-firefox-esr115: ?125+
Flags: needinfo?(valentin.gosu)
Attachment #9395133 - Flags: approval-mozilla-esr115?
Attachment #9395134 - Flags: approval-mozilla-esr115?

esr115 Uplift Approval Request

  • User impact if declined: Potential DOS by server
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: -
  • Risk associated with taking this patch: low
  • Explanation of risk level: The patch is well tested.
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: needinfo?(valentin.gosu)

We need to uplift this to Beta also.

Flags: needinfo?(valentin.gosu)
Attachment #9395148 - Flags: approval-mozilla-beta?
Attachment #9395149 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Potential DOS by server
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: -
  • Risk associated with taking this patch: low
  • Explanation of risk level: The patch is well tested.
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: needinfo?(valentin.gosu)
Attachment #9395133 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9395134 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9395148 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9395149 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [embargo while bug 1881164 is][necko-triaged][necko-priority-queue] → [embargo while bug 1881164 is][necko-triaged][necko-priority-queue][adv-main125+][adv-esr115.10+]
Attached file advisory.txt
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: