Dangerous DoS vulnerabilities detected in HTTP / 2 implementations
Vulnerabilities affect products from vendors such as Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu.
Researchers from Netflix and Google have discovered a number of vulnerabilities in several implementations of the HTTP / 2 protocol. Exploitation of vulnerabilities allows attackers to cause a denial of service on non-updated servers.
Problems affect servers that support HTTP / 2. According to W3Techs statistics, this represents 40.0% of all websites on the Internet.
In total, eight vulnerabilities were discovered that could be exploited remotely. According to the researchers, all attack vectors are variations of the same scheme when a client provokes a response from a vulnerable server and then refuses to read it. Depending on the server’s ability to manage queues, the client is able to use its excessive memory and CPU to process incoming requests.
Vulnerabilities were assigned the following CVEs: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE- 2019-9518. Their exploitation allows an attacker to request a huge amount of data over several streams, send long ping HTTP / 2-peer and stream frames or headers without names and values to the vulnerable server. Depending on how the data is queued and consumes excess CPU resources, this can lead to a denial of service.
According to the CERT focal point, vulnerabilities affect products from vendors such as Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu. Some companies have already fixed the detected problem, and also recorded several unsuccessful attacks by attackers.