Four high-profile vulnerabilities in HTTP/2 revealed

Imperva released a new report at Black Hat USA 2016, which documents four high-profile vulnerabilities researchers at the Imperva Defense Center found in HTTP/2, the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web.

HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks.

Imperva researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The team discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x.

Vulnerable HTTP/2 server implementations

It is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

The threats are especially concerning given the rapid adoption of HTTP/2. According to W3Techs, 8.7 percent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 percent in December 2015.

The four high-profile attack vectors found include:

  • Slow Read – The attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. It is worth noting that despite Slow Read attacks being well-studied in the HTTP/1.x ecosystem, they are still effective – this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
  • HPACK Bomb – This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.
  • Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
  • Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.

“The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva. “However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.”

“The primary mandate for the web application security research group, a division of the Imperva Defense Center, is to understand the risks and threats to web technologies as they evolves,” the company noted.

The researchers notified the vendors of all the vulnerabilities found, and security fixes have already been pushed out.

Check out the report for more technical details about the flaws and possible attacks.

Black Hat USA 2016