Critical vulnerabilities found in HTTP/2 protocol

Thanks to some reports of service failures of the popular streaming platform Netflix, a group of vulnerability testing specialists has detected multiple denial of service (DoS) vulnerabilities in various implementations of the HTTP/2 network protocol, which allows the operation of most of the conventional websites; according to the report, if these flaws were exploited any server could completely be shut down.

Launched in 2015, this protocol is the latest version of HTTP, which is responsible for communication between web servers and clients, introducing various improvements designed to make browsing the Internet a more efficient and secure experience for users. One of the main improvements to the protocol is the compression of the HTTP header, because in previous versions of the protocol only the body of a request could be compressed, although for small web pages the headers could be even larger than the mention experts in vulnerability testing.

According to the report presented to Netflix by security firm Sophos, at least eight different vulnerabilities were found, all with a unique Common Vulnerability Scoring System (CVSS) tracking key. In addition, vulnerability testing specialists claim that some of these vulnerabilities are similar to other DoS exploits functional for other versions of the HTTP protocol.

The vulnerability tracked as CVE-2019-9512 is similar to the denial-of-service variant known as ‘pin flooding’, used to send multiple repeated requests to a server, forcing it to queue responses, so eventually the server will stop responding.

All other vulnerabilities found are as follows:

  • CVE-2019-9514: Starts multiple streams and sends invalid requests to generate RST_STREAM responses, generating a DoS condition
  • CVE-2019-9515: A sequence of SETTINGS frames is sent to the peer. The server is supposed to respond to each SETTINGS request so this causes a situation similar to the ping flood mentioned above
  • CVE-2019-9518: This is an empty frame attack that sends a constant stream of frames with an empty payload, causing the server to get saturated trying to handle them
  • CVE-2019-9511: This flaw uses multiple streams in a way that forces the server to queue data into small chunks. This can drain CPU and memory resources
  • CVE-2019-9513: This failure constantly changes the priority of multiple transmissions, placing an unnecessary load on the server’s random priority merge code
  • CVE-2019-9516: This vulnerability sends data headers marked as empty, although memory is needed to send and receive the data block that says, “Here’s an empty element”. If the server keeps the headers in memory instead of getting rid of them, the attackers could access the server’s memory

According to the vulnerability testing specialists from the International Institute of Cyber Security (IICS), this is a serious issue that actually poses a threat to the safe use of the Internet, since about 25% of the websites that currently operate use this version of the HTTP protocol.