H2C smuggling proves effective against Azure, Cloudflare Access, and more

Security researchers have harnessed the novel ‘H2C smuggling’ technique to achieve authentication, routing, and WAF bypasses on a number of leading cloud platforms.

Snow

The attack’s first in-the-wild scalps included routing and WAF bypasses in Microsoft Azure, and an authentication bypass in Cloudflare Access, although Google Cloud Platform emerged unscathed.

The technique’s architects, from Researcher, noted in a landmark write-up that load balancers such as AWS ALB/CLB, NGINX, and Apache Traffic Server, blocked H2C smuggling because they “won’t forward the required headers for a compliant H2C connection upgrade”.

However, Researcher had also noted that “not all backends were compliant, and we could test with the non-compliant Connection: Upgrade variant, where the HTTP2-Settings value is omitted from the Connection header”.

Researchers managed to find “multiple instances of off-the-shelf configured services that permitted H2C upgrades”, paving the way to authorization control bypasses “on interim reverse proxies”.

What are H2C smuggling attacks?

Unveiled in September 2020, HTTP/2 cleartext (H2C) smuggling “abuses H2C-unaware front-ends to create a tunnel to backend systems, enabling attackers to bypass frontend rewrite rules and exploit internal HTTP headers.

H2C, a deprecated protocol, upgrades a regular, transient plaintext HTTP connection to a persistent connection using the HTTP2 binary protocol. And when a HTTP request issued to a reverse proxy “includes a Connection: Upgrade header the proxy maintains the persistent connection, and scope for continuous communication, between the client and server”.

“Using H2C Smuggling, we can bypass [routing] rules a reverse proxy uses when processing requests such as path-based routing, authentication, or the WAF processing provided we can establish a H2C connection first.”

Microsoft Azure

Microsoft Azure presented “the most interesting use case for impact,” said Yeoh, because “the Azure Application Gateways offer the ability to attach the Azure WAF to the gateway.”

With the access gateway removing HTTP2-Settings from the Upgrade header but leaving the others “untouched”, the researchers were able to bypass routing rules.

But “more importantly, when the Azure WAF is configured, this provides a global WAF bypass provided your first request does not get blocked by the WAF and you can establish a H2C connection”.

Researcher praised Microsoft for ensuring “a painless and smooth process” despite the difficulty of applying security fixes without disrupting the customer experience.

Cloudflare Access

Rules applied by Cloudflare Access, an authentication service enforced by Cloudflare’s load balancer, were bypassed because request proxying “modified the Upgrade header to exclude HTTP2-Settings” but retained the other headers.

Alerted via their bug bounty program, Cloudflare “were very responsive” in fixing the flaw, despite having to “balance customer expectations around servicing H2C connections”, said researcher.

Google Cloud Platform

Although Google’s load balancer permits configuration of basic routing rules, an attempted HTTP upgrade prompts the load balancer to strip “all Connection and HTTP2-Settings headers”, thus blocking a connection upgrade – and H2C smuggling attacks.

All other vulnerable cloud platforms denied Assetnote permission to disclose the details.

Lessons learned

To find these bypasses, researchers configured a server that upgraded both non-compliant and compliant H2C connections and found a load balancer configurable with routing rules or features.

Even though they used a non-compliant server, Researcher pointed out that developers “may not understand the internals of their reverse proxies/internal services hosted behind the load balancer and hence may be vulnerable even if their load balancer is configured properly. That even the best security researchers make [incorrect] assumptions about their research or may not have the time needed to find all affected parties".

“Consequently, even when research is made public there are often plenty of opportunities to extend and further the research.”

Researcher investigation also demonstrates that security measures on the load balancer alone “can be insufficient when restricting access or securing your application”, the researcher added.

Nevertheless, he acknowledged the difficulty of keeping abreast of “these nuanced configuration issues, particularly across a large and fluid cloud attack surface”.

Asked what most be the most fruitful direction for further H2C smuggling research research, researcher told that “there are a number of interesting avenues worth exploring”, in particular “H2C smuggling in the context of Kubernetes ingress and services”.