Bug 1214148 (CVE-2023-33953) - VUL-0: CVE-2023-33953: grpc: unbounded memory and CPU consumption in the HPACK parser leads to remote DoS
Summary: VUL-0: CVE-2023-33953: grpc: unbounded memory and CPU consumption in the HPAC...
Status: IN_PROGRESS
Alias: CVE-2023-33953
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: John Paul Adrian Glaubitz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/374793/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-33953:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-10 11:31 UTC by Carlos López
Modified: 2024-03-14 14:57 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
kvanderveer: needinfo? (meissner)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-08-10 11:31:24 UTC 
CVE-2023-33953

gRPC contains a vulnerability that allows hpack table accounting errors could
lead to unwanted disconnects between clients and servers in exceptional
cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in
the parser, and because that could be unbounded due to the memory copy bug we
end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed
to first buffer up to a 4 gigabyte string before rejecting it as longer than 8
or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be
added at the start of an integer. gRPC’s hpack parser needed to read all of them
before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following
sequence of frames could cause infinite buffering: HEADERS: containing a: 1
CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33953
https://www.cve.org/CVERecord?id=CVE-2023-33953
https://cloud.google.com/support/bulletins#gcp-2023-022
Comment 1 Carlos López 2023-08-10 11:56:36 UTC 
I'd say this is the fix:
https://github.com/grpc/grpc/pull/33597
Comment 3 John Paul Adrian Glaubitz 2024-02-08 10:33:15 UTC 
(In reply to Carlos López from comment #1)
> I'd say this is the fix:
> https://github.com/grpc/grpc/pull/33597

An update to grpc has been submitted to SUSE:SLE-15-SP4:Update, but I didn't see this bug report before, so we're missing this particular CVE reference.
Comment 5 OBSbugzilla Bot 2024-02-09 14:05:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1214148) was mentioned in
https://build.opensuse.org/request/show/1145435 Factory / python-grpcio
Comment 7 Maintenance Automation 2024-02-21 12:30:24 UTC 
SUSE-SU-2024:0573-1: An update that solves five vulnerabilities, contains one feature and has three security fixes can now be installed.

Category: security (moderate)
Bug References: 1133277, 1182659, 1203378, 1208794, 1212180, 1212182, 1214148, 1215334
CVE References: CVE-2023-32731, CVE-2023-32732, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
Jira References: PED-5014
Sources used:
openSUSE Leap 15.4 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
openSUSE Leap Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap 15.5 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
SUSE Linux Enterprise High Performance Computing 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Retail Branch Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Proxy 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Basesystem Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Development Tools Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Package Hub 15 15-SP5 (src): protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP4 (src): grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP5 (src): re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Python 3 Module 15-SP5 (src): python-abseil-1.4.0-150400.9.3.1, python-grpcio-1.60.0-150400.9.3.2, protobuf-25.1-150400.9.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): abseil-cpp-20230802.1-150400.10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Karen Van der Veer 2024-03-14 14:57:35 UTC 
Waiting for guidance from Marcus.