CVE-2023-33953

Denial-of-Service in gRPC

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-05-24 CVE Reserved
2023-08-09 CVE Published
2024-08-15 EPSS Updated
2024-09-27 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling
CWE-789: Memory Allocation with Excessive Size Value
CWE-834: Excessive Iteration

CAPEC

CAPEC-220: Client-Server Protocol Manipulation

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://cloud.google.com/support/bulletins#gcp-2023-022	2023-08-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				< 1.53.2 Search vendor "Grpc" for product "Grpc" and version " < 1.53.2"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.54.0 < 1.54.3 Search vendor "Grpc" for product "Grpc" and version " >= 1.54.0 < 1.54.3"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.55.0 < 1.55.2 Search vendor "Grpc" for product "Grpc" and version " >= 1.55.0 < 1.55.2"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.56.0 < 1.56.2 Search vendor "Grpc" for product "Grpc" and version " >= 1.56.0 < 1.56.2"		-		Affected