{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/phoenix-framework/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Phoenix Channels","LiveView"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","websocket","memory-exhaustion"],"_cs_type":"advisory","_cs_vendors":["Phoenix Framework"],"content_html":"\u003cp\u003eA vulnerability exists in Bandit, a web server for Elixir, where a single unauthenticated WebSocket client can exhaust server memory. The vulnerability stems from the fragmented-message reassembly path, which appends every \u003ccode\u003eContinuation{fin: false}\u003c/code\u003e frame\u0026rsquo;s payload to a per-connection iolist without any cumulative size cap. This allows an attacker to stream continuation frames indefinitely (without setting \u003ccode\u003efin=1\u003c/code\u003e), causing the BEAM heap to grow linearly until the operating system or a supervisor terminates the process. This issue affects applications using Phoenix Channels and LiveView, as they rely on \u003ccode\u003eWebSock\u003c/code\u003e on Bandit. The exploit is effective even with common deployment topologies, including L4 load balancers and HTTP-mode reverse proxies. The recommended fix involves tracking a running cumulative byte count on the connection state and introducing a configurable \u003ccode\u003emax_message_size\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eEstablish a WebSocket connection with a Bandit-fronted application.\u003c/li\u003e\n\u003cli\u003eSend a WebSocket text frame with the \u003ccode\u003efin\u003c/code\u003e bit set to \u003ccode\u003e0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSend a series of WebSocket continuation frames with the \u003ccode\u003efin\u003c/code\u003e bit set to \u003ccode\u003e0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEach continuation frame\u0026rsquo;s payload is appended to a per-connection iolist.\u003c/li\u003e\n\u003cli\u003eThe iolist grows linearly in BEAM memory as continuation frames are sent without limit.\u003c/li\u003e\n\u003cli\u003eThe attacker does not send a final frame with \u003ccode\u003efin=1\u003c/code\u003e, preventing the iolist from being processed and cleared.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s memory consumption increases until it reaches the system limit.\u003c/li\u003e\n\u003cli\u003eThe server process is terminated due to excessive memory usage, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for unauthenticated denial-of-service attacks via memory exhaustion. A single connection can consume gigabytes of BEAM heap, and a small number of concurrent connections can cause the host to run out of memory. This affects any Phoenix application that accepts WebSocket connections, including those using Phoenix Channels and LiveView. The absence of a mitigation strategy makes applications vulnerable by default. A successful attack can lead to service disruption and downtime.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for WebSocket connections sending a large number of continuation frames without a final frame (fin=1).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for WebSocket connections to mitigate the impact of a single client exhausting resources.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix by tracking a running cumulative byte count on the connection state and adding a configurable \u003ccode\u003emax_message_size\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor BEAM memory usage on systems running Bandit web servers to detect anomalous memory consumption.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect websocket connections not sending the FIN bit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-bandit-websocket-dos/","summary":"An unauthenticated attacker can exhaust server memory by sending unbounded WebSocket continuation frames in Bandit-fronted applications, leading to a denial of service.","title":"Bandit WebSocket Memory Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-bandit-websocket-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Phoenix Framework","version":"https://jsonfeed.org/version/1.1"}