{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spdy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["spdystream"],"_cs_severities":["high"],"_cs_tags":["spdy","denial-of-service","memory-allocation","spdystream"],"_cs_type":"advisory","_cs_vendors":["Moby"],"content_html":"\u003cp\u003eThe \u003ccode\u003espdystream\u003c/code\u003e library, specifically versions 0.5.0 and earlier, contains a vulnerability in its SPDY/3 frame parser. This vulnerability allows a remote attacker to cause a denial-of-service (DoS) by sending specially crafted SPDY frames to a service that utilizes \u003ccode\u003espdystream\u003c/code\u003e. The vulnerability stems from the lack of validation of attacker-controlled counts and lengths before memory allocation, leading to excessive memory usage and, ultimately, an out-of-memory crash. A single crafted SPDY control frame is sufficient to exhaust the process's memory. This issue was resolved in version 0.5.1. The affected package is \u003ccode\u003egithub.com/moby/spdystream\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a SPDY connection with a service using the vulnerable \u003ccode\u003espdystream\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SPDY SETTINGS frame with a malicious \u003ccode\u003enumSettings\u003c/code\u003e value exceeding the frame length.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003espdystream\u003c/code\u003e library receives the crafted SETTINGS frame.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSETTINGS\u003c/code\u003e frame reader allocates memory based on the attacker-controlled \u003ccode\u003enumSettings\u003c/code\u003e without proper validation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a zlib-compressed SPDY header block.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003espdystream\u003c/code\u003e library decompresses the header block, resulting in attacker-controlled bytes interpreted as \u003ccode\u003enumHeaders\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseHeaderValueBlock\u003c/code\u003e function allocates an \u003ccode\u003ehttp.Header\u003c/code\u003e map of the specified \u003ccode\u003enumHeaders\u003c/code\u003e size without any upper bound, exhausting available memory.\u003c/li\u003e\n\u003cli\u003eThe process crashes due to an out-of-memory error, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny program accepting SPDY connections through the vulnerable \u003ccode\u003espdystream\u003c/code\u003e library is susceptible. A successful attack allows a remote peer to crash the process with a single, specially crafted SPDY control frame. This leads to a denial-of-service condition, potentially impacting the availability of critical services. While the exact number of victims and sectors targeted remains unknown, the widespread use of SPDY and related protocols makes this a significant concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003egithub.com/moby/spdystream\u003c/code\u003e library to version 0.5.1 or later to patch the vulnerability (reference: Affected versions and Fix sections).\u003c/li\u003e\n\u003cli\u003eDeploy a network intrusion detection system (NIDS) rule to detect SPDY frames with abnormally large \u003ccode\u003enumSettings\u003c/code\u003e values in \u003ccode\u003eSETTINGS\u003c/code\u003e frames (reference: Attack Chain step 2).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for SPDY connections to mitigate the impact of potential DoS attacks (reference: Overview and Impact sections).\u003c/li\u003e\n\u003cli\u003eMonitor application logs for out-of-memory errors related to \u003ccode\u003espdystream\u003c/code\u003e to identify potential exploitation attempts (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:00:00Z","date_published":"2024-01-09T16:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-spdystream-dos/","summary":"The SPDY/3 frame parser in spdystream before v0.5.1 improperly validates attacker-controlled counts and lengths, allowing a remote attacker to trigger excessive memory allocation and cause a denial-of-service condition.","title":"spdystream SPDY/3 Frame Parser Denial of Service","url":"https://feed.craftedsignal.io/briefs/2024-01-spdystream-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Spdy","version":"https://jsonfeed.org/version/1.1"}