Black Hat USA 2016 – Imperva today revealed details on four high-profile attack vectors affecting HTTP/2, the new version of the HTTP protocol.
The company’s latest Hacker Intelligence Initiative (HII) Report provides an in-depth analysis of the four vulnerabilities in HTTP/2, a next-generation protocol expected to address many of the shortcomings of HTTP/1.x. HTTP/2 brings along new mechanisms that increase the attack surface of web infrastructure, rendering it vulnerable to new types of attacks.
After analyzing the HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2, Imperva was able to find exploitable vulnerabilities in all major HTTP/2 mechanisms, two of which were similar to well-known and widely exploited flaws in HTTP/1.x. Furthermore, the security company notes that other implementations of the HTTP/2 protocol might also be vulnerable.
Dubbed Slow Read (CVE-2016-1546), the first of the four high-profile issues is identical to the well-known Slowloris DDoS attack that major credit card processors experienced in 2010: it calls on a malicious client to read responses very slowly. To test the flaw, researchers requested a large resource from the server, but instructed it to send a very small maximum amount of data to a small window size. By requesting enough streams, the server would eventually stop offering service to other clients too.
The attack has been well-studied in the HTTP/1.x ecosystem, but remains effective in the application layer of HTTP/2 implementations, Imperva says. The company identified the vulnerability across popular web servers such as Apache, IIS, Jetty, NGINX and nghttp2 and explains that the behavior of servers in Slow Read attacks depends on the type and structure of the requests.
The second type of attack is HPACK Bomb (CVE-2016-1544, CVE-2016-2525), a compression-layer attack that resembles a zip bomb. The attacker creates small and innocent-looking messages that instead turn into gigabytes of data on the server, thus consuming all the server memory resources and making it unavailable for clients.
“The default size of the dynamic table is 4KB. The server allows one request to contain up to 16K of header references. By sending a single header of size 4KB and then sending a request with 16K references to this one header, the request is decompressed to 64MB on the server side. […] In our lab, 14 streams that consumed 896MB after decompression, were enough to crash the server,” Imperva researchers explain.
Attackers can also abuse the manner in which servers implement Stream Multiplexing to crash the servers and cause denial of service (DoS). The function was designed to tunnel multiple sessions through a single HTTP/2 connection but, because the partition of the connection is purely logical, an attacker can use it to manipulate the server or to send frames out of context (CVE-2016-0150).
Dubbed Dependency Cycle Attack, the fourth vulnerability analyzed by Imperva leverages flow control mechanisms that HTTP/2 uses for network optimization through specially crafted requests that induce a dependency cycle, thus forcing the server into an infinite loop. The flaw, fixed in nghttp2 1.7.0 (CVE-2015-8659) could allow an attacker to cause DoS or even run arbitrary code on a vulnerable system.
All of these vulnerabilities have been already patched in the affected servers, Imperva says. All of the five servers the company tested these attacks against were found to contain at least one vulnerability. All implementations that rely on external HTTP/2 libraries such as nghttp2 are believed to be vulnerable to these attacks, the security researchers say.
“This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited. As with any new technology, HTTP/2 suffers from creating new extended attack surfaces for attackers to target. Hence, server administrators need to understand they cannot simply turn on HTTP/2 and expect it to work without additional layers of security,” Imperva notes.