In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2onframerecvcallback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
{ "vanir_signatures": [ { "target": { "function": "main", "file": "tests/main.c" }, "signature_type": "Function", "digest": { "function_hash": "77346755642097303584396383619358398552", "length": 18563.0 }, "id": "CVE-2020-11080-043c15f6", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "tests/nghttp2_session_test.c" }, "signature_type": "Line", "digest": { "line_hashes": [ "130478378985285426395828020745352499798", "196503942045532253932110626834219947143", "140220713152922819905257382060130445298" ], "threshold": 0.9 }, "id": "CVE-2020-11080-14985976", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "lib/nghttp2_session.h" }, "signature_type": "Line", "digest": { "line_hashes": [ "299481480502669017256817653651965760144", "192855200294858710714870647090618082678", "171931255100099914416002534199507749118", "134596621928972775674961808494563737758" ], "threshold": 0.9 }, "id": "CVE-2020-11080-29794fd0", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "tests/nghttp2_session_test.h" }, "signature_type": "Line", "digest": { "line_hashes": [ "280874317114581665292887146495868357102", "274381237785996237210746435884522152997", "107451044609814117435435328329148362077", "265830476977356558353157603069471539683" ], "threshold": 0.9 }, "id": "CVE-2020-11080-4af6c055", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "function": "nghttp2_session_mem_recv", "file": "lib/nghttp2_session.c" }, "signature_type": "Function", "digest": { "function_hash": "76320109155165413425003197983052626995", "length": 25684.0 }, "id": "CVE-2020-11080-5cb6f3ce", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "lib/nghttp2_session.c" }, "signature_type": "Line", "digest": { "line_hashes": [ "91080862305138533235158662184188504666", "55719047791074478376451138928302749691", "34423416865062340475666727477469394742", "160694452227622041512789921840087788128", "125215487250163291681325310929119184725", "304511006625711842872697081582856130109", "146521828018515530096198461293603487510", "77071207928031166158783556068782833928", "43043000719327973590426123686028805161", "179003225043518908190906283800628246232", "105742072403147979607114434011564829201", "233584587159786120052703451071535283688", "283651529724345891378773186219206064596", "14651239339197374400702615701208359594", "192045365012885780981896872206360096339" ], "threshold": 0.9 }, "id": "CVE-2020-11080-73357273", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "lib/nghttp2_option.h" }, "signature_type": "Line", "digest": { "line_hashes": [ "63766746716490509158265166290164411355", "50635060742961895873309443562646461749", "239135157918357008258296874879627556704", "262788658577533723179089072256574826527", "308365296203565026472293299273132062617", "221121337717265128092329712418842083664", "103420866999420189564175411823852472381", "302740726034182105606640494944642389408" ], "threshold": 0.9 }, "id": "CVE-2020-11080-8621d90d", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "function": "nghttp2_strerror", "file": "lib/nghttp2_helper.c" }, "signature_type": "Function", "digest": { "function_hash": "161237338488688124648574588901191514607", "length": 3119.0 }, "id": "CVE-2020-11080-91463383", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "function": "session_new", "file": "lib/nghttp2_session.c" }, "signature_type": "Function", "digest": { "function_hash": "263822875862045880231887339213735516174", "length": 5015.0 }, "id": "CVE-2020-11080-9256b42a", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "lib/includes/nghttp2/nghttp2.h" }, "signature_type": "Line", "digest": { "line_hashes": [ "299600677355295622260323329753137725168", "207336653490817637956563444167084485017", "173962859204859183510964537905480471226", "263987830515868330154101366183012883049", "43061682448991184130831432058325332900", "296025395023612671134012733026983718977", "132824854117467898005988011917814540319", "42461200801133469667506603652589266889", "60147014574846046905448290406570903562", "334292343408006444436679522713366391316" ], "threshold": 0.9 }, "id": "CVE-2020-11080-93a5c7ca", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "tests/main.c" }, "signature_type": "Line", "digest": { "line_hashes": [ "72648759381140541927944427180807827419", "86294245556859006400665914123068255423", "309234068633173169723482597667900608056", "31192511699064862677426786158272593111" ], "threshold": 0.9 }, "id": "CVE-2020-11080-98628c0b", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "file": "lib/nghttp2_session.c" }, "signature_type": "Line", "digest": { "line_hashes": [ "47185053208666008208030602997273026950", "192311053182551829065672374186794059354", "196600914829518509840604020846440765447" ], "threshold": 0.9 }, "id": "CVE-2020-11080-9b133b71", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394" }, { "target": { "function": "nghttp2_session_mem_recv", "file": "lib/nghttp2_session.c" }, "signature_type": "Function", "digest": { "function_hash": "272294011727504450056056312260246035417", "length": 25898.0 }, "id": "CVE-2020-11080-abc2509e", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394" }, { "target": { "file": "lib/nghttp2_helper.c" }, "signature_type": "Line", "digest": { "line_hashes": [ "158755643856787929620345895606655037940", "177488015206800958109423790823881861161", "16463961717879961764121185295358555699", "318001711588175060333961809437607705430" ], "threshold": 0.9 }, "id": "CVE-2020-11080-c054b6e7", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" }, { "target": { "function": "nghttp2_session_upgrade_internal", "file": "lib/nghttp2_session.c" }, "signature_type": "Function", "digest": { "function_hash": "232072567350380857623571495123190065086", "length": 1322.0 }, "id": "CVE-2020-11080-c7806524", "signature_version": "v1", "deprecated": false, "source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" } ] }