Researchers from Netflix and Google have discovered many vulnerabilities in several implementations of the HTTP / 2 protocol. Exploitation of vulnerabilities allows attackers to cause denial of service on non-updated servers.
Servers that support HTTP / 2 affected by the problems. According to W3Techs statistics, this represents 40.0% of all websites on the Internet.“Vulnerabilities allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash”, — report in Netflix.
In total, were discovered eight vulnerabilities that can be remotely exploited. According to the researchers, all attack vectors are variations of the same scheme when a client provokes a response from a vulnerable server and then refuses to read it.
Read also: DNS attacks endanger millions of IoT devices
Depending on the server’s ability to manage queues, the client is able to use its excessive memory and CPU to process incoming requests.
Vulnerabilities were assigned the following CVEs: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE-2019-9518.
Their exploitation allows an attacker to request a huge amount of data over several streams, send long ping HTTP / 2-peer and stream frames or headers without names and values to the vulnerable server. Depending on how the data is queues and consumes excessive CPU resources, this can lead to a denial of service.
Workarounds and Fixes
In most cases, an immediate workaround is to disable HTTP/2 support. However, this may cause performance degradation, and it might not be possible in all cases. To obtain software fixes, please contact your software vendor.