NRDAX-T0112 - HTTP/2 Rapid Reset Stream Exhaustion
memory_amp · active · first seen 2023-01-01
provenance: Reproduced in NullRabbit's attack-reproduction pipeline
mechanism
CVE-2023-26964 (RUSTSEC-2023-0034): the Rust h2 crate < 0.3.17 does not release stream memory immediately on RST_STREAM and - pre-0.3.17 - has NO bound on streams in the pending-accept-but-remotely-re
instances (2)
| chain | primitive | fidelity | origin | reproducer (bundle) | source |
|---|---|---|---|---|---|
| polkadot | substrate_h2_rapid_reset | lab | reverse-engineered-cve | substrate_h2_rapid_reset | CVE-2023-26964 (RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r) — https://nvd.nist.gov/vuln/detail/CVE-2023-26964, https://rustsec.org/advisories/RUSTSEC-2023-0034.html . HTTP/2 Rapid Reset (CVE-2023-44487 class) resource-exhaustion DoS in the Rust h2 crate < 0.3.17: a flood of HEADERS/RST_STREAM frames grows the pending-accept-reset stream queue unbounded in memory -> OOM. CVSS 3.1 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), CWE-770. Consumed by substrate/polkadot via hyper on the RPC & prometheus HTTP servers; bumped 0.3.16 -> 0.3.17 in paritytech/substrate#13915 (https://github.com/paritytech/substrate/pull/13915). Fix: hyperium/h2#668 (https://github.com/hyperium/h2/pull/668) adds max_pending_accept_reset_streams + GOAWAY(ENHANCE_YOUR_CALM). |
| walrus | walrus_http2_rapid_reset | lab | NullRabbit Labs | walrus_http2_rapid_reset | MystenLabs/walrus crates/walrus-service/src/node/config.rs:1800 http2_max_pending_accept_reset_streams=u32::MAX (compile-time default) → crates/walrus-service/src/node/server.rs:300 axum-server 0.8 HTTP/2 builder (h2 crate); disables the post-CVE-2023-44487 pending-accept-reset accounting limit. CVE-2023-44487 HTTP/2 Rapid Reset class; walrus-node 1.48.1 (axum-server 0.8 / h2 0.4 / rustls 0.23). |
references
related (memory_amp)
NRDAX-T0023 - Coalesced Packet Buffer Leak active NRDAX-T0025 - Compact Block Size Integer Overflow active NRDAX-T0038 - Count Underflow Header Serving Amplification active NRDAX-T0042 - Crypto Frame Reassembly Buffer Exhaustion active NRDAX-T0046 - Decompression Bomb Resource Exhaustion active NRDAX-T0059 - Duplicate Transport Parameter Memory Leak active NRDAX-T0061 - Duplicate Tx Mempool Index Desync active NRDAX-T0071 - Ethash Verification Memory Exhaustion active
cite
https://nrdax.com/techniques/NRDAX-T0112
plain
NRDAX Registry. Technique NRDAX-T0112.
bibtex
@misc{nrdax_NRDAX_T0112,
title = {HTTP/2 Rapid Reset Stream Exhaustion (NRDAX-T0112)},
howpublished = {NRDAX Registry},
url = {https://nrdax.com/techniques/NRDAX-T0112},
} json (csl)
{
"id": "nrdax-NRDAX-T0112",
"type": "dataset",
"title": "HTTP/2 Rapid Reset Stream Exhaustion (NRDAX-T0112)",
"URL": "https://nrdax.com/techniques/NRDAX-T0112",
"publisher": "NRDAX Registry"
}