HTTP Bugs Open Websites to DoS Attacks

Eight bugs in the implementation of HTTP/2, the most recent version of the HTTP protocol, can be exploited to launch denial of service attacks. The flaws were found in vendor server configurations ranging from Amazon, Google, Microsoft and Apache.

Bugs are similar in nature and can be exploited by adversaries to conduct a denial of service (DoS) attack and disrupt internet services and deny access to websites. According Cloudflare, carrying out attacks “should be fairly easy for someone who understands HTTP/2 internals and DoS attacks.”

Cloudflare, which uses NGINX software to handle HTTP/2, said it has patched all instances of vulnerable software. “As soon as we became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them,” it wrote in a statement.
Apple also released fixes for its implantation of HTTP/2 (SwiftNIO), noting to its customers that an attack on a server “may consume unbounded amounts of memory when receiving certain traffic patterns and eventually suffer resource exhaustion.”

HTTP/2 is an update to the HTTP protocol, introduced in 2015. The update was meant as a faster, simpler, and more robust alternative to HTTP/1. Hypertext Transfer Protocol (HTTP) is a fundamental protocol used on the internet for data exchange on the Web.

A technical analysis of the bugs by Tenable research describes an attack against a vulnerable HTTP/2 server implementation as such:

“A client (“the attacker”) can exploit these HTTP/2 vulnerabilities by sending specially crafted requests to vulnerable servers. While these requests will vary, a vulnerable server will attempt to process the request and attempt to send a response. However, the malicious client ignores the response, leading to excess consumption of resources, which would result in a denial of service (DoS).”

Netflix’s researcher Jonathan Looney is credited for finding seven of the bugs (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517). Piotr Sikora of Google, Envoy Security Team, is credited for finding an additional bug (CVE-2019-9518).

A complete list of vendors impacted include: Apple, Akamai, Ambassador (API Gateway), Apache Traffic Server, Cloudflare, Envoy (Proxy), Google (Golang), Microsoft, Netty Project, nghttp2, Nginx, Node.js and Swift.

_Interested in more on the internet of things (IoT)? Don’t miss our free _Threatpost webinar_, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. _Click here to register.