CVE-2024-23452: Apache bRPC HTTP Request Smuggling Vulnerability
Apache bRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high-performance system such as Search, Storage, Machine learning, Advertisement, Recommendation, etc. However, this crucial infrastructure was recently found vulnerable under CVE-2024-23452, a flaw that could potentially allow attackers to smuggle malicious requests through the bRPC’s HTTP server.
The root cause of this vulnerability lies the HTTP server component within Apache bRPC versions 0.9.5 to 1.7.0, spanning all platforms. Tragically, this flaw enables attackers to exploit the HTTP request processing mechanism, effectively ‘smuggling‘ malicious requests into the system undetected.
The crux of the issue stems from the non-compliance of the http_parser with the RFC-7320 HTTP 1.1 specification. Specifically, when a message containing both Transfer-Encoding and Content-Length headers is received, the server fails to adhere to standard protocol, creating an opportunity for attackers to manipulate request parsing logic.
A frontend server communicates with a backend bRPC-based HTTP server over a persistent connection. The frontend server employs Transfer-Encoding (TE) to parse requests, assuming that the presence of ‘chunk’ within the TE field signifies the use of chunked encoding. Exploiting this trust, an attacker crafts a malicious request, smuggling it into the connection under the guise of legitimate traffic.
In essence, the attacker leverages the incongruity between the expected and actual request format to bypass security measures, potentially wreaking havoc within the system.
To resolve CVE-2024-23452, Apache bRPC users are left with two viable courses of action to safeguard their systems:
1. Upgrade to bRPC Version 1.8.0: The latest iteration of bRPC addresses this vulnerability head-on, implementing robust fixes to fortify the framework against potential exploits. By upgrading to version 1.8.0, users can ensure that their systems are shielded from the nefarious intentions of malicious actors.
2. Apply the Patch: For those unable to immediately upgrade to the latest version, a temporary solution presents itself in the form of a patch. By applying the patch provided by the Apache bRPC community, users can shore up their defenses while working towards a comprehensive upgrade strategy.
