While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.
Fizz, which Facebook released as open source in August 2018, is the company’s implementation of the TLS 1.3 cryptographic protocol. At the time when it was made public, Fizz had been used by Facebook to secure communications in its mobile applications, load balancers, internal services, its Proxygen HTTP framework, and other applications. Other organizations and open source projects may have also started using it after its release as open source.
A researcher from code analysis firm Semmle discovered that Fizz is affected by a DoS vulnerability that can be easily triggered by a remote and unauthenticated attacker. Exploitation of the flaw causes Fizz to enter an infinite loop, which results in the web service becoming unavailable. The flaw cannot be exploited to gain access to user data, both Facebook and Semmle have confirmed.
“The impact of the vulnerability is that an attacker can send a malicious message via TCP to any server that uses Fizz and trigger an infinite loop on that server. This could make the server unresponsive to other clients,” explained Kevin Backhouse, the Semmle researcher who found the flaw.
“The size of the message is just over 64KB, so this attack is extremely cheap for the attacker, but crippling for the server. To illustrate this, a single computer with an unexceptional domestic-grade internet connection (1Mbps upload speed) could send two of these messages per second. Since each message knocks out one CPU core, it would only take a small botnet to quickly debilitate an entire datacentre,” he added.
The vulnerability was reported to Facebook on February 20 and a patch was rolled out to Facebook’s internal systems on the same day. The fix was pushed to GitHub five days later – the patch is included in version 2019.02.25.00 and later.
While Facebook’s bug bounty program does not typically cover DoS vulnerabilities, the company has decided to award a $10,000 bounty due to the fact that the issue “could have had significant risk.” Semmle has donated the bounty to a charity so Facebook doubled the amount, and the code analysis firm also matched the original bounty and donated it to a different charity.