|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2023-33953 (grpc): Excessive Iteration in gRPC' |
| 4 | +comments: false |
| 5 | +categories: |
| 6 | +- grpc |
| 7 | +advisory: |
| 8 | + gem: grpc |
| 9 | + cve: 2023-33953 |
| 10 | + ghsa: 496j-2rq6-j6cc |
| 11 | + url: https://github.com/advisories/GHSA-496j-2rq6-j6cc |
| 12 | + title: Excessive Iteration in gRPC |
| 13 | + date: 2023-08-09 |
| 14 | + description: | |
| 15 | + gRPC contains a vulnerability that allows hpack table accounting |
| 16 | + errors could lead to unwanted disconnects between clients and |
| 17 | + servers in exceptional cases/ Three vectors were found that allow |
| 18 | + the following DOS attacks: |
| 19 | +
|
| 20 | + - Unbounded memory buffering in the HPACK parser |
| 21 | + - Unbounded CPU consumption in the HPACK parser |
| 22 | +
|
| 23 | + The unbounded CPU consumption is down to a copy that occurred |
| 24 | + per-input-block in the parser, and because that could be unbounded |
| 25 | + due to the memory copy bug we end up with an O(n^2) parsing loop, |
| 26 | + with n selected by the client. |
| 27 | +
|
| 28 | + The unbounded memory buffering bugs: |
| 29 | +
|
| 30 | + - The header size limit check was behind the string reading code, |
| 31 | + so we needed to first buffer up to a 4 gigabyte string before |
| 32 | + rejecting it as longer than 8 or 16kb. |
| 33 | +
|
| 34 | + - HPACK varints have an encoding quirk whereby an infinite number |
| 35 | + of 0’s can be added at the start of an integer. gRPC’s hpack |
| 36 | + parser needed to read all of them before concluding a parse. |
| 37 | +
|
| 38 | + - gRPC’s metadata overflow check was performed per frame, so that |
| 39 | + the following sequence of frames could cause infinite buffering: |
| 40 | + HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: |
| 41 | + containing a: 3 etc… |
| 42 | + cvss_v3: 7.5 |
| 43 | + patched_versions: |
| 44 | + - "~> 1.53.2" |
| 45 | + - "~> 1.54.3" |
| 46 | + - "~> 1.55.2" |
| 47 | + - ">= 1.56.2" |
| 48 | + related: |
| 49 | + url: |
| 50 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-33953 |
| 51 | + - https://cloud.google.com/support/bulletins#gcp-2023-022 |
| 52 | + - https://security.snyk.io/vuln/SNYK-RUBY-GRPC-5834442 |
| 53 | + - https://github.com/advisories/GHSA-496j-2rq6-j6cc |
| 54 | +--- |
0 commit comments