spdystream SPDY/3 Frame Parser Denial of Service
The SPDY/3 frame parser in spdystream before v0.5.1 improperly validates attacker-controlled counts and lengths, allowing a remote attacker to trigger excessive memory allocation and cause a denial-of-service condition.
The spdystream library, specifically versions 0.5.0 and earlier, contains a vulnerability in its SPDY/3 frame parser. This vulnerability allows a remote attacker to cause a denial-of-service (DoS) by sending specially crafted SPDY frames to a service that utilizes spdystream. The vulnerability stems from the lack of validation of attacker-controlled counts and lengths before memory allocation, leading to excessive memory usage and, ultimately, an out-of-memory crash. A single crafted SPDY control frame is sufficient to exhaust the process's memory. This issue was resolved in version 0.5.1. The affected package is github.com/moby/spdystream.
Attack Chain
- The attacker establishes a SPDY connection with a service using the vulnerable
spdystreamlibrary. - The attacker crafts a SPDY SETTINGS frame with a malicious
numSettingsvalue exceeding the frame length. - The vulnerable
spdystreamlibrary receives the crafted SETTINGS frame. - The
SETTINGSframe reader allocates memory based on the attacker-controllednumSettingswithout proper validation. - Alternatively, the attacker sends a zlib-compressed SPDY header block.
- The vulnerable
spdystreamlibrary decompresses the header block, resulting in attacker-controlled bytes interpreted asnumHeaders. - The
parseHeaderValueBlockfunction allocates anhttp.Headermap of the specifiednumHeaderssize without any upper bound, exhausting available memory. - The process crashes due to an out-of-memory error, causing a denial of service.
Impact
Any program accepting SPDY connections through the vulnerable spdystream library is susceptible. A successful attack allows a remote peer to crash the process with a single, specially crafted SPDY control frame. This leads to a denial-of-service condition, potentially impacting the availability of critical services. While the exact number of victims and sectors targeted remains unknown, the widespread use of SPDY and related protocols makes this a significant concern.
Recommendation
- Upgrade the
github.com/moby/spdystreamlibrary to version 0.5.1 or later to patch the vulnerability (reference: Affected versions and Fix sections). - Deploy a network intrusion detection system (NIDS) rule to detect SPDY frames with abnormally large
numSettingsvalues inSETTINGSframes (reference: Attack Chain step 2). - Implement rate limiting for SPDY connections to mitigate the impact of potential DoS attacks (reference: Overview and Impact sections).
- Monitor application logs for out-of-memory errors related to
spdystreamto identify potential exploitation attempts (reference: Impact section).
Detection coverage 2
Detect SPDY SETTINGS Frame with Large numSettings
highDetects SPDY SETTINGS frames with a numSettings value that exceeds the expected frame length, indicating a potential denial-of-service attempt.
Detect SPDY Connection Reset Due to Protocol Error
mediumDetects SPDY connections being reset due to protocol errors, which may indicate exploitation of SPDY parsing vulnerabilities.
Detection queries are available on the platform. Get full rules →