{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/desynchronization/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["netty-codec-http (\u003e= 4.2.0.Alpha1, \u003c= 4.2.12.Final)","netty-codec-http (\u003c= 4.1.132.Final)"],"_cs_severities":["high"],"_cs_tags":["netty","http","desynchronization","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Netty"],"content_html":"\u003cp\u003eA response desynchronization vulnerability exists in Netty\u0026rsquo;s \u003ccode\u003eHttpClientCodec\u003c/code\u003e when HTTP/1.1 pipelining is enabled, HEAD requests are present in the request pipeline, and the server sends 1xx responses. This occurs because the \u003ccode\u003eHttpClientCodec\u003c/code\u003e incorrectly pairs inbound responses with outbound requests, specifically when a server sends a 1xx response followed by a 200 response with a body for a GET request, and then a 200 response for a subsequent HEAD request. The \u003ccode\u003eHttpClientCodec\u003c/code\u003e may incorrectly pair the HEAD request with the first 200 response, skipping the message body and causing subsequent responses to be parsed from the wrong offset. This can lead to data integrity issues and potentially unsafe socket reuse. The vulnerability affects Netty versions 4.2.0.Alpha1 through 4.2.12.Final and all versions up to 4.1.132.Final.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a series of HTTP/1.1 requests, including a GET request followed by a HEAD request, leveraging HTTP pipelining for efficiency.\u003c/li\u003e\n\u003cli\u003eThe malicious client sends a GET request for a resource (e.g., \u003ccode\u003e/1\u003c/code\u003e) immediately followed by a HEAD request for another resource (e.g., \u003ccode\u003e/2\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable Netty server processes the GET request and sends a 103 Early Hints response, followed by a 200 OK response containing the body of the GET request (e.g., \u0026ldquo;hello\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe server then processes the HEAD request and sends a 200 OK response without a body, as is standard for HEAD requests.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHttpClientCodec\u003c/code\u003e on the client side incorrectly pairs the HEAD request with the initial 200 OK response from the GET request, due to the intervening 103 response.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHttpClientCodec\u003c/code\u003e skips the GET response body (\u0026ldquo;hello\u0026rdquo;) when processing the HEAD response, leaving those bytes unread on the input stream.\u003c/li\u003e\n\u003cli\u003eThe subsequent HTTP response is then parsed from the wrong offset in the input stream, leading to parsing failures or incorrect data being associated with the wrong request.\u003c/li\u003e\n\u003cli\u003eThe attacker can exploit this desynchronization to potentially inject malicious content or intercept sensitive data meant for other requests, compromising the integrity and availability of the connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a loss of integrity and availability of HTTP parsing, causing incorrect or incomplete data to be processed by the client application. This can result in application errors, data corruption, or the exposure of sensitive information. Furthermore, the unsafe reuse of the socket could lead to further exploitation of the compromised connection. While the exact number of affected systems is unknown, any application relying on the vulnerable versions of Netty\u0026rsquo;s \u003ccode\u003eHttpClientCodec\u003c/code\u003e and utilizing HTTP/1.1 pipelining with HEAD requests is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Netty that addresses CVE-2026-42584. Specifically, upgrade beyond version 4.2.12.Final or version 4.1.132.Final.\u003c/li\u003e\n\u003cli\u003eIf upgrading Netty is not immediately feasible, consider disabling HTTP/1.1 pipelining as a temporary mitigation. This will prevent the conditions necessary for the desynchronization to occur.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netty HttpClientCodec Response Desync Error\u003c/code\u003e to identify potential exploitation attempts by monitoring for HTTP responses with decoder failures after a series of pipelined requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-netty-desync/","summary":"The Netty HttpClientCodec is vulnerable to response desynchronization when configured with HTTP/1.1 pipelining, HEAD requests, and the server sends 1xx responses, leading to a response body from one request being parsed as another and potentially unsafe socket reuse.","title":"Netty HttpClientCodec Response Desynchronization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-netty-desync/"}],"language":"en","title":"CraftedSignal Threat Feed — Desynchronization","version":"https://jsonfeed.org/version/1.1"}