News

Researchers discover dangerous DoS vulnerabilities in HTTP / 2 implementation

Researchers from Netflix and Google have discovered many vulnerabilities in several implementations of the HTTP / 2 protocol. Exploitation of vulnerabilities allows attackers to cause denial of service on non-updated servers.

Servers that support HTTP / 2 affected by the problems. According to W3Techs statistics, this represents 40.0% of all websites on the Internet.

“Vulnerabilities allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash”, — report in Netflix.

In total, were discovered eight vulnerabilities that can be remotely exploited. According to the researchers, all attack vectors are variations of the same scheme when a client provokes a response from a vulnerable server and then refuses to read it.

Read also: DNS attacks endanger millions of IoT devices

Depending on the server’s ability to manage queues, the client is able to use its excessive memory and CPU to process incoming requests.

Vulnerabilities were assigned the following CVEs: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE-2019-9518.

Their exploitation allows an attacker to request a huge amount of data over several streams, send long ping HTTP / 2-peer and stream frames or headers without names and values to the vulnerable server. Depending on how the data is queues and consumes excessive CPU resources, this can lead to a denial of service.

Workarounds and Fixes

In most cases, an immediate workaround is to disable HTTP/2 support. However, this may cause performance degradation, and it might not be possible in all cases. To obtain software fixes, please contact your software vendor.

According to the CERT focal point, vulnerabilities affect products from such vendors Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu. Some companies have already fixed the detected problem and recorded several unsuccessful attacks.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button