CVE-2024-7246
📋 TL;DR
This CVE describes a gRPC vulnerability where a malicious client can poison the HPACK compression table between an HTTP/2 proxy and backend server. This causes other clients to experience failed requests and potentially leak HTTP header keys (but not values). Any system using vulnerable gRPC versions with HTTP/2 proxy configurations is affected.
💻 Affected Systems
- gRPC
📦 What is this software?
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
Grpc by Grpc
⚠️ Risk & Real-World Impact
Worst Case
Service disruption for multiple clients, potential information disclosure of HTTP header keys, and denial of service affecting application availability.
Likely Case
Intermittent request failures for legitimate clients and potential header key leakage in shared proxy environments.
If Mitigated
Limited impact with proper network segmentation and monitoring, though vulnerability still exists.
🎯 Exploit Status
Exploitation requires understanding of HTTP/2 HPACK compression and ability to send specially crafted requests through a proxy.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, or 1.65.4
Vendor Advisory: https://github.com/grpc/grpc/issues/36245
Restart Required: Yes
Instructions:
1. Identify current gRPC version. 2. Update to appropriate fixed version based on your current version. 3. Restart all gRPC services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable HTTP/2 Proxy
allConfigure gRPC clients to connect directly to backends without using HTTP/2 proxies.
Network Segmentation
allIsolate gRPC traffic and restrict access to proxy configurations from untrusted networks.
🧯 If You Can't Patch
- Implement strict network access controls to limit which clients can communicate through HTTP/2 proxies.
- Monitor for abnormal request patterns and failed gRPC requests that could indicate exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check gRPC version and compare against affected versions. Verify if HTTP/2 proxy configuration is in use.Check Version:
For Python: pip show grpcio | grep Version; For Go: go list -m all | grep google.golang.org/grpcVerify Fix Applied:
Confirm gRPC version is updated to a fixed version and test gRPC communication through proxy.📡 Detection & Monitoring
Log Indicators:
- Increased rate of gRPC request failures
- Unusual header patterns in HTTP/2 traffic logs
- Errors related to HPACK table corruption
Network Indicators:
- Abnormal HTTP/2 traffic patterns through proxies
- Multiple clients experiencing simultaneous request failures
SIEM Query:
source="grpc_logs" AND (error="HPACK" OR error="header" OR status="INTERNAL") | stats count by client_ip