Researchers from Netflix and Google There are eight vulnerabilities in various implementations of the HTTP/2 protocol that can cause a denial of service by sending a stream of network requests in a certain way. The problems affect most HTTP/2-enabled HTTP servers to some degree and result in running out of memory available to the worker process or creating too high a load on the CPU. Vulnerability updates are already available in ΠΈ but for now for Apache httpd and .
The problems were the result of the complications introduced into the HTTP/2 protocol related to the use of binary structures, the system for limiting data flows within connections, the mechanism for prioritizing flows, and the presence of ICMP-like control messages that work at the HTTP/2 connection level (for example, ping, reset, and flow settings). Many implementations did not properly restrict the flow of control messages, inefficiently organized the priority queue when processing requests, or used suboptimal implementations of flow control algorithms.
Most of the identified attack methods come down to sending certain requests to the server, leading to the generation of a large number of responses. If the client does not read data from the socket and does not close the connection, the response buffer queue on the server side continuously fills up. This behavior creates a load on the network connection processing queue management system and, depending on the implementation, leads to the exhaustion of available memory or CPU resources.
Identified vulnerabilities:
- CVE-2019-9511 (Data Dribble) - An attacker requests a large amount of data in multiple threads, manipulating the size of the sliding window and thread priority, forcing the server to queue data in 1-byte blocks;
- CVE-2019-9512 (Ping Flood) - An attacker continuously poisons ping messages over an HTTP/2 connection, initiating filling on the other side of the internal queue of sent responses;
- CVE-2019-9513 (Resource Loop) - The attacker creates multiple request threads and continuously changes the priority of the threads, causing the priority tree to shuffle;
- CVE-2019-9514 (Reset Flood) - Attacker creates multiple threads
and sends an invalid request through each stream, causing the server to send RST_STREAM frames, but does not receive them to fill the response queue; - CVE-2019-9515 (Settings Flood) - The attacker sends a stream of empty "SETTINGS" frames, in response to which the server must acknowledge receipt of each request;
- CVE-2019-9516 (0-Length Headers Leak) - The attacker sends a stream of headers with a null name and null value, and the server allocates a buffer in memory to store each header and does not release it until the session ends;
- CVE-2019-9517 (Internal Data Buffering) - Attacker opens
an HTTP/2 sliding window for the server to send data without restriction, but keep the TCP window closed, preventing data from actually being written to the socket. Next, the attacker sends requests that require a large response; - CVE-2019-9518 (Empty Frames Flood) - An attacker sends a stream of frames of type DATA, HEADERS, CONTINUATION, or PUSH_PROMISE, but with empty useful content and no stream termination flag. The server spends time processing each frame disproportionately to the bandwidth consumed by the attacker.
Source: opennet.ru