ghsa-6hfq-h8hq-87mf
Vulnerability from github
Published
2021-08-25 20:56
Modified
2021-08-18 21:07
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
HTTP Request Smuggling in hyper
Details

Summary

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".

Vulnerability

The flaw was introduced in https://github.com/hyperium/hyper/commit/26417fc24a7d05df538e0f39239b373c5c3d61f6, released in v0.12.0.

Consider this example request:

POST /yolo HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: cow

This request should be rejected, according to RFC 7230, since it has a Transfer-Encoding header, but after folding, it does not end in chunked. hyper would notice the chunked in the first line, and then check the second line, and thanks to a missing boolean assignment, not set the error condition. hyper would treat the payload as being chunked. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause "desync attacks".

There are several parts of the spec that must also be checked, and hyper correctly handles all of those. Additionally, hyper's client does not allow sending requests with improper headers, so the misunderstanding cannot be propagated further.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable, all these things must be true:

  • Using hyper as an HTTP server. The client is not affected.
  • Using HTTP/1.1. HTTP/2 does not use transfer-encoding.
  • Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding.

Patches

We have released and backported the following patch versions:

  • v0.14.3
  • v0.13.10

Workarounds

Besides upgrading hyper, you can take the following options:

  • Reject requests that contain a transfer-encoding header.
  • Ensure any upstream proxy handles transfer-encoding correctly.

Credits

This issue was initially reported by ZeddYu Lu From Qi An Xin Technology Research Institute.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T21:07:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nhyper\u0027s HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in \"request smuggling\" or \"desync attacks\".\n\n### Vulnerability\n\nThe flaw was introduced in https://github.com/hyperium/hyper/commit/26417fc24a7d05df538e0f39239b373c5c3d61f6, released in v0.12.0.\n\nConsider this example request:\n\n```\nPOST /yolo HTTP/1.1\nTransfer-Encoding: chunked\nTransfer-Encoding: cow\n```\n\nThis request *should* be rejected, according to RFC 7230, since it has a `Transfer-Encoding` header, but after folding, it does not end in `chunked`. hyper would notice the `chunked` in the first line, and then check the second line, and thanks to a missing boolean assignment, *not* set the error condition. hyper would treat the payload as being `chunked`. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause \"desync attacks\".\n\nThere are several parts of the spec that must also be checked, and hyper correctly handles all of those. Additionally, hyper\u0027s *client* does not allow sending requests with improper headers, so the misunderstanding cannot be propagated further.\n\nRead more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn\n\n### Impact\n\nTo determine if vulnerable, all these things must be true:\n\n- **Using hyper as an HTTP *server*.** The client is not affected.\n- **Using HTTP/1.1.** HTTP/2 does not use `transfer-encoding`.\n- **Using a vulnerable HTTP proxy upstream to hyper.** If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is *no* proxy upstream of hyper, hyper cannot *start* the desync attack, as the client will repair the headers before forwarding.\n\n### Patches\n\nWe have released and backported the following patch versions:\n\n- v0.14.3\n- v0.13.10\n\n### Workarounds\n\nBesides upgrading hyper, you can take the following options:\n\n- Reject requests that contain a `transfer-encoding` header.\n- Ensure any upstream proxy handles `transfer-encoding` correctly.\n\n### Credits\n\nThis issue was initially reported by ZeddYu Lu From Qi An Xin Technology Research Institute.",
  "id": "GHSA-6hfq-h8hq-87mf",
  "modified": "2021-08-18T21:07:17Z",
  "published": "2021-08-25T20:56:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21299"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hyperium/hyper/commit/8f93123efef5c1361086688fe4f34c83c89cec02"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hyperium/hyper"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP Request Smuggling in hyper"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.