Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

High-Profile Vulnerabilities Affect HTTP/2

Black Hat USA 2016 – Imperva today revealed details on four high-profile attack vectors affecting HTTP/2, the new version of the HTTP protocol.

Black Hat USA 2016 – Imperva today revealed details on four high-profile attack vectors affecting HTTP/2, the new version of the HTTP protocol.

The company’s latest Hacker Intelligence Initiative (HII) Report provides an in-depth analysis of the four vulnerabilities in HTTP/2, a next-generation protocol expected to address many of the shortcomings of HTTP/1.x. HTTP/2 brings along new mechanisms that increase the attack surface of web infrastructure, rendering it vulnerable to new types of attacks.

After analyzing the HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2, Imperva was able to find exploitable vulnerabilities in all major HTTP/2 mechanisms, two of which were similar to well-known and widely exploited flaws in HTTP/1.x. Furthermore, the security company notes that other implementations of the HTTP/2 protocol might also be vulnerable.

Dubbed Slow Read (CVE-2016-1546), the first of the four high-profile issues is identical to the well-known Slowloris DDoS attack that major credit card processors experienced in 2010: it calls on a malicious client to read responses very slowly. To test the flaw, researchers requested a large resource from the server, but instructed it to send a very small maximum amount of data to a small window size. By requesting enough streams, the server would eventually stop offering service to other clients too.

The attack has been well-studied in the HTTP/1.x ecosystem, but remains effective in the application layer of HTTP/2 implementations, Imperva says. The company identified the vulnerability across popular web servers such as Apache, IIS, Jetty, NGINX and nghttp2 and explains that the behavior of servers in Slow Read attacks depends on the type and structure of the requests.

The second type of attack is HPACK Bomb (CVE-2016-1544, CVE-2016-2525), a compression-layer attack that resembles a zip bomb. The attacker creates small and innocent-looking messages that instead turn into gigabytes of data on the server, thus consuming all the server memory resources and making it unavailable for clients.

“The default size of the dynamic table is 4KB. The server allows one request to contain up to 16K of header references. By sending a single header of size 4KB and then sending a request with 16K references to this one header, the request is decompressed to 64MB on the server side. […] In our lab, 14 streams that consumed 896MB after decompression, were enough to crash the server,” Imperva researchers explain.

Attackers can also abuse the manner in which servers implement Stream Multiplexing to crash the servers and cause denial of service (DoS). The function was designed to tunnel multiple sessions through a single HTTP/2 connection but, because the partition of the connection is purely logical, an attacker can use it to manipulate the server or to send frames out of context (CVE-2016-0150).

Advertisement. Scroll to continue reading.

Dubbed Dependency Cycle Attack, the fourth vulnerability analyzed by Imperva leverages flow control mechanisms that HTTP/2 uses for network optimization through specially crafted requests that induce a dependency cycle, thus forcing the server into an infinite loop. The flaw, fixed in nghttp2 1.7.0 (CVE-2015-8659) could allow an attacker to cause DoS or even run arbitrary code on a vulnerable system.

All of these vulnerabilities have been already patched in the affected servers, Imperva says. All of the five servers the company tested these attacks against were found to contain at least one vulnerability. All implementations that rely on external HTTP/2 libraries such as nghttp2 are believed to be vulnerable to these attacks, the security researchers say.

“This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited. As with any new technology, HTTP/2 suffers from creating new extended attack surfaces for attackers to target. Hence, server administrators need to understand they cannot simply turn on HTTP/2 and expect it to work without additional layers of security,” Imperva notes.

Related: Vulnerabilities Found in Black Hat Conference App

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.