CVE-2022-24667
📋 TL;DR
CVE-2022-24667 is a denial-of-service vulnerability in swift-nio-http2 where a malicious HTTP/2 peer can send specially crafted HPACK-encoded header blocks that crash the application. This affects all swift-nio-http2 versions from 1.0.0 to 1.19.1, impacting both clients and servers using this library for HTTP/2 communication.
💻 Affected Systems
- swift-nio-http2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with repeated crashes, potential data loss from interrupted transactions, and possible secondary integrity/confidentiality issues from invariant violations during crashes.
Likely Case
Service crashes and restarts, dropping all active connections and causing availability issues until patched.
If Mitigated
No impact if patched or if untrusted peers are blocked from communicating with the service.
🎯 Exploit Status
Exploitation requires sending crafted HPACK header blocks, which is straightforward. The advisory mentions the issue was found via automated fuzzing, suggesting exploit code could be developed easily.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.19.2 and later
Vendor Advisory: https://github.com/apple/swift-nio-http2/security/advisories/GHSA-w3f6-pc54-gfw7
Restart Required: Yes
Instructions:
1. Update swift-nio-http2 dependency to version 1.19.2 or later. 2. Rebuild and redeploy the application. 3. Restart the service to apply the fix.
🔧 Temporary Workarounds
Block untrusted HTTP/2 peers
allPrevent communication from untrusted sources to mitigate the attack surface.
Disable HTTP/2 or use alternative libraries
allIf feasible, disable HTTP/2 support or switch to alternative HTTP/2 implementations.
🧯 If You Can't Patch
- Implement network-level controls to filter or block malicious HTTP/2 traffic using WAFs or intrusion prevention systems.
- Monitor application logs for crash patterns and implement automated restart mechanisms to maintain availability.
🔍 How to Verify
Check if Vulnerable:
Check the swift-nio-http2 version in your project's dependency file (e.g., Package.swift). If version is between 1.0.0 and 1.19.1 inclusive, the system is vulnerable.Check Version:
swift package show-dependencies | grep -i swift-nio-http2Verify Fix Applied:
Confirm swift-nio-http2 version is 1.19.2 or later and test with HTTP/2 traffic to ensure no crashes occur.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults or memory errors related to HPACK parsing
- Unexpected process terminations during HTTP/2 communication
Network Indicators:
- Unusual patterns of HTTP/2 HEADERS or PUSH_PROMISE frames from single sources
- Repeated connection attempts followed by service crashes
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "crash" OR "panic") AND "HTTP/2"