You are here

HTTP/2 desync attacks

IDs: 
CVE-2021-33193
Keywords: 
http2
Description: 

Researcher James Kettle recently published a set of HTTP/2 desynchronization attacks against proxies transforming HTTP/2 to HTTP/1.1 [1]. Several proxies including WAFs and load balancers are affected.

By crafting special HTTP/2 requests an attacker can bypass critical security controls of WAFs like authorization checks. This may result in data leakage or execution of unwanted actions on back-end systems. Airlock Gateway supports HTTP/2 to HTTP/1.1 transformation by default  (see Virtual Host setting Enable HTTP/2).

We analyzed all attack types and were not able to bypass Airlock Gateway in the default configuration.

Details:

Most attack types were blocked by the web listener (Apache HTTP Server) of Airlock Gateway before they hit the core engine (Gatekeeper). Some attack types use spaces in the HTTP/2 method field which are not blocked by the web listener. These attack types were blocked by the core engine of Airlock Gateway in the default configuration.

Resolution: 

All Airlock Gateway mapping configurations must filter the HTTP method field for malicious strings. Airlock Gateway is secure by default, i.e. the HTTP method field is filtered using Allow Rules when creating a new mapping from a default template.

By default, a new empty mapping has only a single allow rule with HTTP method set to GET or POST. If you changed Allow Rules on a mapping, we recommend to verify that at least one matching Allow Rule (i.e. URL path pattern must match all requests to the mapping) has set the HTTP method condition. The configured pattern must not be set to (default) No Restriction or to any custom pattern allowing spaces in HTTP method names.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution