Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.

Severity

 

CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score:  6.7 MEDIUM

Vector:  CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CNA:  GitHub, Inc.

Base Score:  6.1 MEDIUM

Vector:  CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: It is possible that the NVD CVSS may not match that of the CNA. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab	Patch
https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q	Mitigation  Patch  Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-347	Improper Verification of Cryptographic Signature	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 12/19/2023 2:10:12 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:* versions up to (including) 2.2.6 *cpe:2.3:a:dena:h2o:2.3.0:beta1:*:*:*:*:*:* *cpe:2.3:a:dena:h2o:2.3.0:beta2:*:*:*:*:*:*
Added	CVSS V3.1		NIST AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Changed	Reference Type	https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab No Types Assigned	https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab Patch
Changed	Reference Type	https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q No Types Assigned	https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q Mitigation, Patch, Vendor Advisory

New CVE Received by NIST 12/12/2023 3:15:07 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		GitHub, Inc. AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Added	CWE		GitHub, Inc. CWE-347
Added	Description		Record truncated, showing 500 of 1829 characters. View Entire Change Record h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involve
Added	Reference		GitHub, Inc. https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab [No types assigned]
Added	Reference		GitHub, Inc. https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q [No types assigned]