Black Hat: Be wary of HTTP/2 on Web servers
- 04 August, 2016 01:21
Researchers at Black Hat describe finding four flaws – now fixed - in the way the major server vendors implemented HTTP/2, but warn that the year-old Web protocol remains fertile ground for hackers seeking weaknesses in the way it’s rolled out.
+More on Network World: IRS warns on super summer scam scourge | Follow all the coverage from Black Hat +
A team at security vendor Imperva says they found nothing vulnerable about the protocol itself, but that they created distributed denial-of-service attacks that took advantage of openings left by how servers support the protocol.
Patches have been issued for all the affected servers – Microsoft IIS, Apache, Jetty, Nghttpd and Nginx – to block the exploits found by the Imperva team, said Itsik Mantin, director of security research, and Nadav Avital, application security research team lead. Businesses using the servers should make sure they are patched, they say.
Because the protocol is so new, the team thought its implementations would likely contain features that hadn’t been thoroughly vetted for security, and it turns out they were right.
HTTP/2 was designed as a follow up to HTTP that would improve the speed of building Web pages by optimizing communications between browsers and servers. That introduced a set of new and complex mechanisms, a circumstance presenting many potential attack surfaces, Mantin says.
+More on Network World: Hot products at Black Hat 2016+
The effort to find the four exploits took two researchers four months to discover, and it’s likely other researchers and malicious attackers will find more. “That’s just the four we discovered,” Avital says.
In some cases the effects of the attacks lasted as long as the attacker wanted to attack, and others the attacks were severe enough to crash the servers, Mantin says.
For example, one attack focused on a compression mechanism called HPAK used to reduce the size of packet headers. The protocol says the sender can tell the receiver the maximum size of the header compression table used to decode the headers.
The researchers created a header that was the same size as the entire compression table. Then they opened up new streams on the same connection with each stream that referred to the initial header as many times as possible. After sending 14 such streams, the connection ate up 896MB of memory, crashing the server, Mantin says.
As a side note, when the Imperva researchers reported the exploit to the team at Nghttpd, it ran it on Wireshark and Wireshark crashed. It turns out both Wireshark and the server used the same library that was susceptible, he says.
The two researchers have moved on to other projects but say they will come back to HTTP/2 implementations at a later date to see what else they can find.
Results of the research are available in a report called “HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol.”