<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Spdystream - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/spdystream/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 16:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/spdystream/feed.xml" rel="self" type="application/rss+xml"/><item><title>spdystream SPDY/3 Frame Parser Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-spdystream-dos/</link><pubDate>Tue, 09 Jan 2024 16:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-spdystream-dos/</guid><description>The SPDY/3 frame parser in spdystream before v0.5.1 improperly validates attacker-controlled counts and lengths, allowing a remote attacker to trigger excessive memory allocation and cause a denial-of-service condition.</description><content:encoded><![CDATA[<p>The <code>spdystream</code> library, specifically versions 0.5.0 and earlier, contains a vulnerability in its SPDY/3 frame parser. This vulnerability allows a remote attacker to cause a denial-of-service (DoS) by sending specially crafted SPDY frames to a service that utilizes <code>spdystream</code>. The vulnerability stems from the lack of validation of attacker-controlled counts and lengths before memory allocation, leading to excessive memory usage and, ultimately, an out-of-memory crash. A single crafted SPDY control frame is sufficient to exhaust the process's memory. This issue was resolved in version 0.5.1. The affected package is <code>github.com/moby/spdystream</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker establishes a SPDY connection with a service using the vulnerable <code>spdystream</code> library.</li>
<li>The attacker crafts a SPDY SETTINGS frame with a malicious <code>numSettings</code> value exceeding the frame length.</li>
<li>The vulnerable <code>spdystream</code> library receives the crafted SETTINGS frame.</li>
<li>The <code>SETTINGS</code> frame reader allocates memory based on the attacker-controlled <code>numSettings</code> without proper validation.</li>
<li>Alternatively, the attacker sends a zlib-compressed SPDY header block.</li>
<li>The vulnerable <code>spdystream</code> library decompresses the header block, resulting in attacker-controlled bytes interpreted as <code>numHeaders</code>.</li>
<li>The <code>parseHeaderValueBlock</code> function allocates an <code>http.Header</code> map of the specified <code>numHeaders</code> size without any upper bound, exhausting available memory.</li>
<li>The process crashes due to an out-of-memory error, causing a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Any program accepting SPDY connections through the vulnerable <code>spdystream</code> library is susceptible. A successful attack allows a remote peer to crash the process with a single, specially crafted SPDY control frame. This leads to a denial-of-service condition, potentially impacting the availability of critical services. While the exact number of victims and sectors targeted remains unknown, the widespread use of SPDY and related protocols makes this a significant concern.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>github.com/moby/spdystream</code> library to version 0.5.1 or later to patch the vulnerability (reference: Affected versions and Fix sections).</li>
<li>Deploy a network intrusion detection system (NIDS) rule to detect SPDY frames with abnormally large <code>numSettings</code> values in <code>SETTINGS</code> frames (reference: Attack Chain step 2).</li>
<li>Implement rate limiting for SPDY connections to mitigate the impact of potential DoS attacks (reference: Overview and Impact sections).</li>
<li>Monitor application logs for out-of-memory errors related to <code>spdystream</code> to identify potential exploitation attempts (reference: Impact section).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>spdy</category><category>denial-of-service</category><category>memory-allocation</category><category>spdystream</category></item></channel></rss>