Design weakness found on SwiftNIO HTTP2 (9th Feb 2022)

Preface: Apple has announced the launch of its new operating system, macOS 10.15 Catalina on October 7, 2019. In keeping with Apple’s release cycle, macOS 10.12 Sierra will no longer be receiving security updates. Sierra was replaced by High Sierra 10.13, Mojave 10.14, and the newest Catalina 10.15.

Background: SwiftNIO is Apple non-blocking networking library. It can be used to write either client libraries or server frameworks and works on macOS, iOS and Linux. Swift-nio-http2 follows SemVer 2.0.0 with a separate document declaring SwiftNIO’s Public API. The project (SwiftNIO HTTP/2) contains HTTP/2 support for Swift projects using SwiftNIO.SwiftNIO is the library to build backend servers in the Swift programming language. In SwiftNIO, you cannot model concurrent execution without at least an event loop. To execute your asynchronous code, you need to ask the EventLoopGroup for an EventLoop. You can use the method next() to get a new EventLoop, in a round-robin fashion.

Does SemVer have a size limit on the version string?
No, but use good judgment. A 255 character version string is probably overkill, for example. Also, specific systems may impose their own limits on the size of the string.

Vulnerability details:

CVE-2022-24668 – caused by a network peer sending ALTSVC or ORIGIN frames (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.
CVE-2022-24667 – caused by a network peer sending a specially crafted HPACK-encoded header block (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function.
CVE-2022-24666 – caused by a network peer sending a specially crafted HTTP/2 frame (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.

Ref.1: Security concern with HPACK – Denial of service resulting from exhausting processing or memory capacity at a decoder.

Ref2: Some regular expression engines have a feature called “backtracking”. If the token cannot match, the engine “backtracks” to a position that may result in a different token that can match.
Backtracking becomes a weakness if all of these conditions are met:

  • The number of possible backtracking attempts are exponential relative to the length of the input.
  • The input can fail to match the regular expression.
  • The input can be long enough.

Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Remedy: The risk can be mitigated if untrusted peers can be prevented from communicating with the service.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.