The HTTP/2 server implementations from a long list of vendors, including Amazon, Apple, Microsoft, and Apache, are susceptible to several newly disclosed attacks that can exhaust the resources of a target server with minimal effort from an attacker.
The eight new vulnerabilities are similar in their effects, although they differ slightly in the details. Researchers from Netflix and Google discovered the vulnerabilities and worked with the CERT/CC at Carnegie Mellon University to notify vendors and help produce patches, some of which were published yesterday when the disclosures about the vulnerabilities were made public. All of the vulnerabilities are variations on denial-of-service conditions and none of them allow an attacker to execute arbitrary code or take any other malicious actions on vulnerable servers.
“These attack vectors allow a remote attacker to consume excessive system resources. Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the vulnerability advisory from Netflix says.
“Many of the attack vectors we found (and which were fixed today) are variants on a theme: a malicious client asks the server to do something which generates a response, but the client refuses to read the response. This exercises the server’s queue management code. Depending on how the server handles its queues, the client can force it to consume excess memory and CPU while processing its requests.”
HTTP/2 is an update to the foundational HTTP protocol and is designed to provide faster and more efficient browsing. The protocol is supported by about 40 percent of the top 10 million sites, including Google, Twitter, Amazon, and YouTube. Those sites also support HTTP/1.1, the previous version of the protocol.
A quick mitigation for all of these attacks in cases where a patch is not available or can’t be applied right away is to disable HTTP/2 support. Attacks on these weaknesses are not highly complex or resource-intensive, so the bar for an adversary to take advantage of one of them is relatively low. For example, the so-called Data Dribble weakness (CVE-2019-9511), simply requires an attacker to ask for big chunks of data over multiple connections.
“The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service,” the advisory says.
These weaknesses affect a number of sites, but also some of the larger content delivery networks and hosting providers. Engineers at Cloudflare were notified of the vulnerabilities a few weeks ago and set about patching affected servers immediately.
“As soon as we became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them. We first pushed a patch to detect any attack attempts and to see if any normal traffic would be affected by our mitigations. This was followed up with work to mitigate these vulnerabilities; we pushed the changes out few weeks ago and continue to monitor similar attacks on our stack,” Ahamed Nafeez of Cloudflare said in a post on the company’s response.