{"result": {"nessus": [{"id": "FREEBSD_PKG_93EADEDBC6A611E596D614DAE9D210B8.NASL", "type": "nessus", "title": "FreeBSD : nghttp2 -- use after free (93eadedb-c6a6-11e5-96d6-14dae9d210b8)", "description": "nghttp2 reports :\n\nThis release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible.", "published": "2016-02-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88501", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-10-29T13:45:02"}, {"id": "FEDORA_2016-54F85EC6E8.NASL", "type": "nessus", "title": "Fedora 23 : nghttp2-1.6.0-1.fc23 (2016-54f85ec6e8)", "description": "- update to nghttp2-1.6.0 (fixes CVE-2015-8659)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-03-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=89545", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-10-29T13:37:57"}, {"id": "FEDORA_2016-8E13AC5754.NASL", "type": "nessus", "title": "Fedora 22 : nghttp2-1.6.0-1.fc22 (2016-8e13ac5754)", "description": "- update to nghttp2-1.6.0 (fixes CVE-2015-8659)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-03-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=89578", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-10-29T13:43:01"}, {"id": "GENTOO_GLSA-201612-06.NASL", "type": "nessus", "title": "GLSA-201612-06 : nghttp2: Heap-use-after-free", "description": "The remote host is affected by the vulnerability described in GLSA-201612-06 (nghttp2: Heap-use-after-free)\n\n A heap-use-after-free vulnerability has been discovered in nghttp2.\n Please review the CVE identifier referenced below for details.\n Impact :\n\n The impact of the vulnerability is still unknown.\n Workaround :\n\n There is no known workaround at this time.", "published": "2016-12-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=95521", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-10-29T13:44:01"}, {"id": "APPLETV_9_2.NASL", "type": "nessus", "title": "Apple TV < 9.2 Multiple Vulnerabilities", "description": "According to its banner, the remote Apple TV device is a version prior to 9.2. It is, therefore, affected by the following vulnerabilities :\n\n - An XML external entity (XXE) expansion flaw exists in libxml2 due to the XML parser accepting entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via crafted XML data, to cause a denial of service through resource exhaustion.\n (CVE-2015-1819)\n\n - An XML external entity (XXE) injection flaw exists in libxml2 in file parser.c due to the XML parser accepting entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via crafted XML data, to cause a denial of service or to disclose sensitive information. (CVE-2015-5312)\n\n - A heap buffer overflow condition exists in libxml2 in the xmlGROW() function within file parser.c while handling XML data. An unauthenticated, remote attacker can exploit this to disclose sensitive information.\n (CVE-2015-7499)\n\n - An out-of-bounds heap read error exists in libxml2 in the xmlParseMisc() function within file parser.c while handling entity boundaries. An unauthenticated, remote attacker can exploit this to cause a denial of service.\n (CVE-2015-7500)\n\n - An out-of-bounds read error exists in libxml2 in the xmlParseConditionalSections() function within file parser.c due to a failure to properly skip intermediary entities when it stops parsing invalid input. An unauthenticated, remote attacker can exploit this, via crafted XML data, to cause a denial of service.\n (CVE-2015-7942)\n\n - A flaw exists in libxml2 in the xz_decomp() function within file xzlib.c due to a failure to properly detect compression errors when handling compressed XML content.\n An unauthenticated, remote attacker can exploit this, via crafted XML data, to cause an infinite loop, resulting in a denial of service.\n (CVE-2015-8035)\n\n - A out-of-bounds read error exists in libxml2 in the xmlSAX2TextNode() function within file SAX2.c due to improper sanitization of input data. An unauthenticated, remote attacker can exploit this, via crafted XML data, to cause a denial of service or to disclose sensitive information. (CVE-2015-8242)\n\n - A use-after-free error exists in Nghttp2 within file lib/nghttp2_session.c when handling idle streams. An unauthenticated, remote attacker can exploit this to deference already freed memory, allowing the execution of arbitrary code. (CVE-2015-8659)\n\n - An overflow condition exists in the Broadcom Wi-Fi driver due to improper validation of data while handling SSID or WPS_ID_DEVICE_NAME values. An unauthenticated, adjacent attacker can exploit this, via a crafted wireless control message packet, to cause a denial of service or to execute arbitrary code. (CVE-2016-0801)\n\n - An overflow condition exists in the Broadcom Wi-Fi driver due to improper validation of user-supplied input when handling the packet length of event messages.\n An unauthenticated, adjacent attacker can exploit this, via a crafted wireless control message packet, to cause a denial of service or to execute arbitrary code.\n (CVE-2016-0802)\n\n - A flaw exists in FontParser due to improper validation of user-supplied input when handling encoded fonts that contain invalid characters. An unauthenticated, remote attacker can exploit this, via a crafted PDF document, to corrupt memory, resulting in a denial of service or the execution arbitrary code. (CVE-2016-1740)\n\n - A flaw exists in IOHIDFamily due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted application, to gain access to kernel memory layout information.\n (CVE-2016-1748)\n\n - A use-after-free error exists in the kernel that allows an unauthenticated, remote attacker to execute arbitrary code via a crafted application. (CVE-2016-1750)\n\n - A flaw exists in the kernel due to a failure to properly restrict execution permissions. An unauthenticated, remote attacker can exploit this, via a crafted application, to bypass code-signing protection mechanisms. (CVE-2016-1751)\n\n - An unspecified flaw exists in the kernel that allows a local attacker to cause a denial of service via a crafted application. (CVE-2016-1752)\n\n - An integer overflow condition exists in the kernel due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted application, to gain elevated privileges.\n (CVE-2016-1753)\n\n - A memory corruption issue exists in the kernel due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to install a malicious application, to cause a denial of service or execute arbitrary code.\n CVE-2016-1754)\n\n - A use-after-free error exists in the AppleKeyStore user client when handling multiple threads, which is triggered when one thread closes the user client while another attempts to call an external method. An unauthenticated, remote attacker can exploit this, by convincing a user to install a malicious application, to execute arbitrary code with elevated privileges.\n (CVE-2016-1755)\n\n - A flaw exists in libxml2 due to improper validation of user-supplied input while handling XML content. An unauthenticated, remote attacker can exploit this, via a crafted XML document, to cause a denial of service or to execute arbitrary code. (CVE-2016-1762)\n\n - An out-of-bounds write error exists in TrueTypeScaler due to improper validation of user-supplied input while handling bdat tables in TTF fonts. An unauthenticated, remote attacker can exploit this, via a crafted TTF font, to cause a denial or service or to execute arbitrary code. (CVE-2016-1775)\n\n - A flaw exists in WebKit due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted website, to cause a denial of service or execute arbitrary code.\n (CVE-2016-1783)\n\n - An unspecified flaw exists in the History implementation of WebKit that allows an unauthenticated, remote attacker to cause a denial of service via a crafted website. (CVE-2016-1784)\n\n - A heap buffer overflow condition exists in Mozilla Network Security Services due to improper validation of user-supplied input while parsing ASN.1 structures. An unauthenticated, remote attacker can exploit this, via crafted ASN.1 data in an X.509 certificate, to cause a denial of service or execute arbitrary code.\n (CVE-2016-1950)\n\nNote that only 4th generation models are affected by these vulnerabilities, and this plugin only checks these models.", "published": "2016-04-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90309", "cvelist": ["CVE-2015-8659", "CVE-2016-1783", "CVE-2015-5312", "CVE-2016-1762", "CVE-2016-1752", "CVE-2016-1740", "CVE-2016-1775", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1754", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2016-0801", "CVE-2016-1755", "CVE-2016-1751", "CVE-2016-1784", "CVE-2016-1753", "CVE-2015-7942", "CVE-2015-8035"], "lastseen": "2018-03-10T06:20:30"}, {"id": "MACOSX_10_11_4.NASL", "type": "nessus", "title": "Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities", "description": "The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.4. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - apache_mod_php\n - AppleRAID\n - AppleUSBNetworking\n - Bluetooth\n - Carbon\n - dyld\n - FontParser\n - HTTPProtocol\n - Intel Graphics Driver\n - IOFireWireFamily\n - IOGraphics\n - IOHIDFamily\n - IOUSBFamily\n - Kernel\n - libxml2\n - Messages\n - NVIDIA Graphics Drivers\n - OpenSSH\n - OpenSSL\n - Python\n - QuickTime\n - Reminders\n - Ruby\n - Security\n - Tcl\n - TrueTypeScaler\n - Wi-Fi\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "published": "2016-03-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90096", "cvelist": ["CVE-2016-1746", "CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1773", "CVE-2015-8126", "CVE-2016-1768", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1761", "CVE-2015-3195", "CVE-2016-1744", "CVE-2016-1762", "CVE-2016-1737", "CVE-2015-7551", "CVE-2016-1738", "CVE-2016-1756", "CVE-2016-1747", "CVE-2016-1752", "CVE-2016-1736", "CVE-2016-1740", "CVE-2016-1743", "CVE-2016-1775", "CVE-2016-1749", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2016-1770", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1741", "CVE-2016-1759", "CVE-2016-1745", "CVE-2016-1732", "CVE-2016-1769", "CVE-2016-1754", "CVE-2015-0973", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2014-9495", "CVE-2016-0801", "CVE-2015-8472", "CVE-2016-1764", "CVE-2016-0778", "CVE-2016-1755", "CVE-2016-1767", "CVE-2016-1753", "CVE-2016-1733", "CVE-2016-1788", "CVE-2016-1735", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-0777"], "lastseen": "2017-10-29T13:41:23"}], "openvas": [{"id": "OPENVAS:1361412562310806942", "type": "openvas", "title": "Fedora Update for nghttp2 FEDORA-2016-54", "description": "Check the version of nghttp2", "published": "2016-01-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806942", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-07-25T10:54:43"}, {"id": "OPENVAS:1361412562310807105", "type": "openvas", "title": "Fedora Update for nghttp2 FEDORA-2016-8", "description": "Check the version of nghttp2", "published": "2016-01-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807105", "cvelist": ["CVE-2015-8659"], "lastseen": "2017-07-25T10:55:15"}, {"id": "OPENVAS:1361412562310806693", "type": "openvas", "title": "Apple Mac OS X Multiple Vulnerabilities-01 March-2016", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "published": "2016-04-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806693", "cvelist": ["CVE-2016-1746", "CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1773", "CVE-2015-8126", "CVE-2016-1768", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1761", "CVE-2015-3195", "CVE-2016-1744", "CVE-2016-1762", "CVE-2016-1737", "CVE-2016-1765", "CVE-2015-7551", "CVE-2016-1738", "CVE-2016-1756", "CVE-2016-1747", "CVE-2016-1752", "CVE-2016-1736", "CVE-2016-1740", "CVE-2016-1743", "CVE-2016-1775", "CVE-2016-1749", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2016-1770", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1741", "CVE-2016-1759", "CVE-2016-1745", "CVE-2016-1732", "CVE-2016-1769", "CVE-2016-1754", "CVE-2015-0973", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2014-9495", "CVE-2016-0801", "CVE-2015-8472", "CVE-2016-1764", "CVE-2016-0778", "CVE-2016-1755", "CVE-2016-1767", "CVE-2016-1753", "CVE-2016-1733", "CVE-2016-1788", "CVE-2016-1735", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-0777"], "lastseen": "2017-07-02T21:12:55"}], "gentoo": [{"id": "GLSA-201612-06", "type": "gentoo", "title": "nghttp2: Heap-use-after-free", "description": "### Background\n\nNghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C. \n\n### Description\n\nA heap-use-after-free vulnerability has been discovered in nghttp2. Please review the CVE identifier referenced below for details. \n\n### Impact\n\nThe impact of the vulnerability is still unknown.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll nghttp2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/nghttp2-1.6.0\"", "published": "2016-12-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201612-06", "cvelist": ["CVE-2015-8659"], "lastseen": "2016-12-04T12:54:41"}], "freebsd": [{"id": "93EADEDB-C6A6-11E5-96D6-14DAE9D210B8", "type": "freebsd", "title": "nghttp2 -- use after free", "description": "\nnghttp2 reports:\n\nThis release fixes heap-use-after-free bug in idle stream\n\t handling code. We strongly recommend to upgrade the older installation\n\t to this latest version as soon as possible.\n\n", "published": "2015-12-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/93eadedb-c6a6-11e5-96d6-14dae9d210b8.html", "cvelist": ["CVE-2015-8659"], "lastseen": "2016-09-26T17:24:09"}], "archlinux": [{"id": "ASA-201512-16", "type": "archlinux", "title": "nghttp2: use-after-free", "description": "nghttp2 1.6.0 fixes a heap-based use-after-free bug in idle stream\nhandling code, where an idle/closed stream could possibly be destroyed\nwhile it was still referenced.", "published": "2015-12-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-December/000476.html", "cvelist": ["CVE-2015-8659"], "lastseen": "2016-09-02T18:44:40"}], "thn": [{"id": "THN:44328854BF203ACB7E982DBBF6C4EB40", "type": "thn", "title": "4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers", "description": "[](<https://3.bp.blogspot.com/-Lwd_kzndPGI/V6JOCkxW1wI/AAAAAAAApDE/I69ZkMsBczwYHWh7F85dITwXIT1w6ZQuQCLcB/s1600/http2.png>)\n\nIf you think that the [HTTP/2 protocol](<http://thehackernews.com/2015/02/http2-fast-websites.html>) is more secure than the standard HTTP (_Hypertext Transfer Protocol_), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol. \n \nHTTP/2 was launched properly just in May last year after Google bundled its [SPDY project](<http://www.chromium.org/spdy/spdy-whitepaper>) into HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users. \n \nNow, security researchers from data center security vendor Imperva today at Black Hat conference [revealed](<http://blog.imperva.com/2016/08/http2-faster-and-better-than-http-11-but-is-it-more-secure.html>) details on at least four high-profile vulnerabilities in HTTP/2 \u2013 a major revision of the HTTP network protocol that the today\u2019s web is based on. \n \nThe vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash. \n \nThe HTTP/2 protocol can be divided into three layers: \n\n\n[](<https://1.bp.blogspot.com/-NpKvVUeReZ4/V6JG0qjkV_I/AAAAAAAApCM/1GYtUbyd8icPAcWxmRcqEtqahoo1Md_BgCLcB/s1600/http2-nginx-working.png>)\n\n \n \n\n\n * The transmission layer that includes streams, frames and flow control\n * The HPACK binary encoding and compression protocol\n * The semantic layer \u2013 an enhanced version of HTTP/1.1 enriched with server-push capabilities.\n \nThe researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2 and discovered exploitable flaws in all major HTTP/2 implementations, including two that are similar to well-known and widely exploited bugs in HTTP/1.x. \n \n\n\n### The four key vulnerabilities found in HTTP/2 include:\n\n \n\n\n#### 1\\. Slow Read (CVE-2016-1546)\n\n[](<https://1.bp.blogspot.com/-xPtRvSYoQRA/V6JHp4FfFZI/AAAAAAAApCc/5WtHZDfB4b0E7WxnVp0gBUBhzfJfCAHxgCLcB/s1600/http2-nginx-security.png>)\n\nThis attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010. The Slow Read attack calls on a malicious client to read responses very slowly. \n \nThe Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations. \n\n\n> \"The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2,\" says Imperva.\n\n \n\n\n#### 2\\. HPACK Bomb (CVE-2016-1544, CVE-2016-2525)\n\n[](<https://2.bp.blogspot.com/-uJmDBCrXR5k/V6JHXc91RjI/AAAAAAAApCU/PjiGdFuRnE8-s0uRyFkLPOjIdqw-BcfEwCLcB/s1600/http2-nginx.png>)\n\nHPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'. \n \nHPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers. \n \nIn this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems. \n \nImperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references). \n \nAfter sending 14 such streams, the connection consumed 896MB of server memory after decompression, which crashed the server, Imperva researchers explain. \n \n\n\n#### 3\\. Dependency Cycle Attack (CVE-2015-8659)\n\n[](<https://4.bp.blogspot.com/-ZsQ_1U6kd_o/V6JIXh6xr2I/AAAAAAAApCk/i8B9EVo9zGUY_SQdg1cYvhbOrYhU_Xc5QCLcB/s1600/http2-security.png>)\n\nThis attack leverages the flow control mechanisms that HTTP/2 uses for network optimization. \n \nA bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop. \n \nThe flaw could allow an attacker to cause _Denial of Service (DoS)_ or even run arbitrary code on a vulnerable system. \n \n\n\n#### 4\\. Stream Multiplexing Abuse (CVE-2016-0150)\n\n[](<https://2.bp.blogspot.com/-c1jx52aV518/V6JI0mtvQOI/AAAAAAAApCw/6-dFKquQGVQUm69QJsa1t9sVWVj5TJ4sACLcB/s1600/Stream-Multiplexing-Abuse.png>)\n\nThe attack allows an attacker to exploit vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users. \n \nAll the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs. \n \nHere's what Imperva co-founder and chief technology officer Amichai Shulman says: \n\n\n> \"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users. However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers.\" \n\n> \"While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it\u2019s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.\"\n\nThe vulnerabilities took advantage of HTTP/2 features that were meant to reduce bandwidth use and round trips while speeding up the loading time of websites. \n \nAccording to Imperva researchers, by implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to prevent their critical data and applications from cyber attack while introducing HTTP/2. \n \nYou can get more details of Imperva\u2019s research in a report [[PDF](<http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf>)] dubbed \"_HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol_.\"\n", "published": "2016-08-03T09:10:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://thehackernews.com/2016/08/http2-protocol-security.html", "cvelist": ["CVE-2016-0150", "CVE-2016-1546", "CVE-2015-8659", "CVE-2016-1544", "CVE-2016-2525"], "lastseen": "2017-01-08T18:00:22"}, {"id": "THN:35D65655AF3E2530CD06D90BAC7FBED8", "type": "thn", "title": "4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers", "description": "[](<https://3.bp.blogspot.com/-Lwd_kzndPGI/V6JOCkxW1wI/AAAAAAAApDE/I69ZkMsBczwYHWh7F85dITwXIT1w6ZQuQCLcB/s1600/http2.png>)\n\nIf you think that the [HTTP/2 protocol](<https://thehackernews.com/2015/02/http2-fast-websites.html>) is more secure than the standard HTTP (_Hypertext Transfer Protocol_), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol. \n \nHTTP/2 was launched properly just in May last year after Google bundled its [SPDY project](<https://www.chromium.org/spdy/spdy-whitepaper>) into HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users. \n \nNow, security researchers from data center security vendor Imperva today at Black Hat conference [revealed](<http://blog.imperva.com/2016/08/http2-faster-and-better-than-http-11-but-is-it-more-secure.html>) details on at least four high-profile vulnerabilities in HTTP/2 \u2013 a major revision of the HTTP network protocol that the today\u2019s web is based on. \n \nThe vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash. \n \nThe HTTP/2 protocol can be divided into three layers: \n\n\n[](<https://1.bp.blogspot.com/-NpKvVUeReZ4/V6JG0qjkV_I/AAAAAAAApCM/1GYtUbyd8icPAcWxmRcqEtqahoo1Md_BgCLcB/s1600/http2-nginx-working.png>)\n\n \n \n\n\n * The transmission layer that includes streams, frames and flow control\n * The HPACK binary encoding and compression protocol\n * The semantic layer \u2013 an enhanced version of HTTP/1.1 enriched with server-push capabilities.\n \nThe researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2 and discovered exploitable flaws in all major HTTP/2 implementations, including two that are similar to well-known and widely exploited bugs in HTTP/1.x. \n \n\n\n### The four key vulnerabilities found in HTTP/2 include:\n\n \n\n\n#### 1\\. Slow Read (CVE-2016-1546)\n\n[](<https://1.bp.blogspot.com/-xPtRvSYoQRA/V6JHp4FfFZI/AAAAAAAApCc/5WtHZDfB4b0E7WxnVp0gBUBhzfJfCAHxgCLcB/s1600/http2-nginx-security.png>)\n\nThis attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010. The Slow Read attack calls on a malicious client to read responses very slowly. \n \nThe Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations. \n\n\n> \"The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2,\" says Imperva.\n\n \n\n\n#### 2\\. HPACK Bomb (CVE-2016-1544, CVE-2016-2525)\n\n[](<https://2.bp.blogspot.com/-uJmDBCrXR5k/V6JHXc91RjI/AAAAAAAApCU/PjiGdFuRnE8-s0uRyFkLPOjIdqw-BcfEwCLcB/s1600/http2-nginx.png>)\n\nHPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'. \n \nHPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers. \n \nIn this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems. \n \nImperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references). \n \nAfter sending 14 such streams, the connection consumed 896MB of server memory after decompression, which crashed the server, Imperva researchers explain. \n \n\n\n#### 3\\. Dependency Cycle Attack (CVE-2015-8659)\n\n[](<https://4.bp.blogspot.com/-ZsQ_1U6kd_o/V6JIXh6xr2I/AAAAAAAApCk/i8B9EVo9zGUY_SQdg1cYvhbOrYhU_Xc5QCLcB/s1600/http2-security.png>)\n\nThis attack leverages the flow control mechanisms that HTTP/2 uses for network optimization. \n \nA bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop. \n \nThe flaw could allow an attacker to cause _Denial of Service (DoS)_ or even run arbitrary code on a vulnerable system. \n \n\n\n#### 4\\. Stream Multiplexing Abuse (CVE-2016-0150)\n\n[](<https://2.bp.blogspot.com/-c1jx52aV518/V6JI0mtvQOI/AAAAAAAApCw/6-dFKquQGVQUm69QJsa1t9sVWVj5TJ4sACLcB/s1600/Stream-Multiplexing-Abuse.png>)\n\nThe attack allows an attacker to exploit vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users. \n \nAll the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs. \n \nHere's what Imperva co-founder and chief technology officer Amichai Shulman says: \n\n\n> \"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users. However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers.\" \n\n> \"While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it\u2019s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.\"\n\nThe vulnerabilities took advantage of HTTP/2 features that were meant to reduce bandwidth use and round trips while speeding up the loading time of websites. \n \nAccording to Imperva researchers, by implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to prevent their critical data and applications from cyber attack while introducing HTTP/2. \n \nYou can get more details of Imperva\u2019s research in a report [[PDF](<http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf>)] dubbed \"_HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol_.\"\n", "published": "2016-08-03T09:10:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2016/08/http2-protocol-security.html", "cvelist": ["CVE-2016-0150", "CVE-2016-1546", "CVE-2015-8659", "CVE-2016-1544", "CVE-2016-2525"], "lastseen": "2018-01-27T09:18:10"}]}}