Beware! Google’s gRPC Tool Vulnerable to DDoS Attacks

CVECVE-2023-4785
CVSScvssV3_1: 7.5
SourceCVE-2023-4785

Google’s gRPC framework, which is a popular open-source framework for building RPC applications, is affected by a vulnerability that could allow attackers to launch denial-of-service (DDoS) attacks.

The vulnerability tracked as CVE-2023-4785 exists in the TCP server component of gRPC versions 1.23 and earlier for POSIX compatible platforms like Linux. It is caused due to lack of proper error handling when a large number of connections are initiated with the gRPC server.

Attackers can exploit this by simply opening a massive number of connections with the vulnerable gRPC server to exhaust its resources and make it unavailable for legitimate users. This would result in a denial-of-service.

The gRPC implementations in languages like C++, Python and Ruby are affected by this issue. However, gRPC for Java and Go are not vulnerable.

To protect against exploits, gRPC users should upgrade to the latest version 1.24 or later which fixes this vulnerability. Application developers should also implement connection limiting, request throttling and error handling best practices to make their gRPC servers more resilient against DDoS attacks.

References