[LACNIC/Seguridad] Multiple HTTP/2 implementations are vulnerable to a variety of, denial-of-service (DoS) attacks.

Lucimara Desiderá lucimara en cert.br
Mie Ago 14 11:26:51 -03 2019


https://www.kb.cert.org/vuls/id/605641/


HTTP/2 implementations do not robustly handle abnormal traffic and
resource exhaustion

Vulnerability Note VU#605641

Original Release Date: 2019-08-13 | Last Revised: 2019-08-13
Overview

Multiple HTTP/2 implementations are vulnerable to a variety of
denial-of-service (DoS) attacks.

Description

The Security Considerations section of RFC7540 discusses some of the
considerations needed for HTTP/2 connections as they demand more
resources to operate than HTTP/1.1 connections. While it generally
covers expected behavior considerations, how to mitigate abnormal
behavior is left to the implementer which can leave it open to the
following weaknesses.

CVE-2019-9511, also known as Data Dribble
The attacker requests a large amount of data from a specified resource
over multiple streams. They manipulate window size and stream priority
to force the server to queue the data in 1-byte chunks. Depending on how
efficiently this data is queued, this can consume excess CPU, memory, or
both, potentially leading to a denial of service.

CVE-2019-9512, also known as Ping Flood
The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently
this data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.

CVE-2019-9513, also known as Resource Loop
The attacker creates multiple request streams and continually shuffles
the priority of the streams in a way that causes substantial churn to
the priority tree. This can consume excess CPU, potentially leading to a
denial of service.

CVE-2019-9514, also known as Reset Flood
The attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.

CVE-2019-9515, also known as Settings Flood
The attacker sends a stream of SETTINGS frames to the peer. Since the
RFC requires that the peer reply with one acknowledgement per SETTINGS
frame, an empty SETTINGS frame is almost equivalent in behavior to a
ping. Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9516, also known as 0-Length Headers Leak
The attacker sends a stream of headers with a 0-length header name and
0-length header value, optionally Huffman encoded into 1-byte or greater
headers. Some implementations allocate memory for these headers and keep
the allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.

CVE-2019-9517, also known as Internal Data Buffering
The attacker opens the HTTP/2 window so the peer can send without
constraint; however, they leave the TCP window closed so the peer cannot
actually write (many of) the bytes on the wire. The attacker then sends
a stream of requests for a large response object. Depending on how the
servers queue the responses, this can consume excess memory, CPU, or
both, potentially leading to a denial of service.

CVE-2019-9518, also known as Empty Frame Flooding
The attacker sends a stream of frames with an empty payload and without
the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION
and/or PUSH_PROMISE. The peer spends time processing each frame
disproportionate to attack bandwidth. This can consume excess CPU,
potentially leading to a denial of service.

Impact

These attacks can consume excessive system resources, potentially enough
that a single end-system could cause issues on multiple servers that may
lead to Distributed DoS (DDoS) attacks.

Solution

Apply an update
Install the latest updates from HTTP/2 implementers.

Vendor Information

Please see this matrix of affected products and vulnerabilities.

Filter by status: Affected

Amazon
Apache Traffic Server Project
Apple
Envoy
Facebook
Go Programming Language
gRPC
Microsoft
Netty
nghttp2
nginx
Node.js
Twisted
Ubuntu

View all 233 vendors


CVSS Metrics
Group 		Score 	Vector
Base 		0 	AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 	0 	E:ND/RL:ND/RC:ND
Environmental 	0 	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

    https://tools.ietf.org/html/rfc7540
    https://tools.ietf.org/html/rfc7541

https://github.com/Netflix/security-bulletins/blob/master/advisorie/third-party/2019-002.md
    https://blog.cloudflare.com/on-the-recent-http-2-dos-attacks/
    https://blogs.akamai.com/sitr/2019/08/http2-vulnerabilities.html

Acknowledgements

Thanks to Jonathan Looney of Netflix for reporting
CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,and
CVE-2019-9517. Thanks to Piotr Sikora of Google,Envoy Security Team,for
reporting CVE-2019-9518.

This document was written by Madison Oliver.
Other Information
CVE IDs: 	CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,
CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518
Date Public: 	2019-08-13
Date First Published: 	2019-08-13
Date Last Updated: 	2019-08-13 19:38 UTC
Document Revision: 	32


Más información sobre la lista de distribución Seguridad