HTTP/2 Implementation Flaws Opens Websites to DoS Attacks
Flaws were found in vendor server configurations from Amazon, Google, Microsoft and Apache. In all, eight bugs were found in the implementation of HTTP/2, the most recent version of the HTTP protocol. The bugs can be exploited to conduct a denial of service attack and deny access to websites.
HTTP/2 is an update to the HTTP protocol, introduced in 2015. The update was meant as a faster and simpler alternative to HTTP/1. Hypertext Transfer Protocol, or HTTP, is a fundamental protocol used on the internet for data exchange on the Web. Hackers can exploit these HTTP/2 vulnerabilities by sending specially crafted requests to vulnerable servers. An affected server will attempt to process the request and attempt to send a response. However, the malicious client ignores the response, leading to high resource usage, which would result in a denial of service.
The vulnerabilities can only be used to cause a DoS and don't allow hackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers. The flaws were discovered by a security team comprised of Netflix, Google and CERT, reported the issues to each of the affected vendors. Affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft IIS, Cloudflare, Akamai, Apple SwiftNIO, Amazon, Facebook Proxygen, Node.js, and Envoy proxy.
Cloudflare, which uses NGINX software to handle HTTP/2, has patched all instances of vulnerable software. Apple also released fixes for its implantation of HTTP/2. Apple cited that an attack on a server may consume unbounded amounts of memory when receiving certain traffic patterns and eventually suffer resource exhaustion.