HTTP/2 的多次拒絕服務 (DoS) 弱點公布 (CVE-2019-9511、CVE-2019-9518)
A variety of Denial of Service vulnerabilities were found in third-party implementations of HTTP/2.
背景說明
On August 13, researchers at Netflix published an advisory for their GitHub page detailing their discovery of eight vulnerabilities in the HTTP/2 protocol implementations by third parties. The vulnerabilities were primarily discovered by Jonathan Looney, Engineering Manager at Netflix, with one vulnerability, CVE-2019-9518, discovered by Piotr Sikora, Senior Software Engineer at Google.
Image Credit: Cloudflare
分析
A client (“the attacker”) can exploit these HTTP/2 vulnerabilities by sending specially crafted requests to vulnerable servers. While these requests will vary, a vulnerable server will attempt to process the request and attempt to send a response. However, the malicious client ignores the response, leading to excess consumption of resources, which would result in a denial of service (DoS).
The following are the eight vulnerabilities and the associated nicknames given to them in the Netflix advisory.
| CVE ID | Nickname |
|---|---|
| CVE-2019-9511 | “Data Dribble” |
| CVE-2019-9512 | “Ping Flood” |
| CVE-2019-9513 | “Resource Loop” |
| CVE-2019-9514 | “Reset Flood” |
| CVE-2019-9515 | “Settings Flood” |
| CVE-2019-9516 | “0-Length Headers Leak” |
| CVE-2019-9517 | “Internal Data Buffering” |
| CVE-2019-9518 | “Empty Frames Flood” |
概念驗證
At the time the blog was published, no proof-of-concept code was available.
解決方法
To immediately address the vulnerabilities, Netflix’s advisory suggests disabling HTTP/2 support, but cautions that this could either result in performance degradation or not be feasible. Software vendors are in the process of publishing patches for these vulnerabilities. Initial reports from vendors can be found below:
| Vendor | Link(s) | Source |
|---|---|---|
| Akamai | HTTP2 Vulnerabilities | 部落格 |
| Ambassador (API Gateway) | Multiple HTTP/2 vulnerabilities in Envoy Proxy | 部落格 |
| Apache Traffic Server (ATS) | [ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks | Mailing List |
| Cloudflare | On the recent HTTP/2 DoS attacks | 部落格 |
| Envoy (Proxy) | Version 1.11.1 History | Changelog |
| Google (Golang) | [security] Go 1.12.8 and Go 1.11.13 are released | Forum Posting |
| Microsoft | CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518 | Advisory |
| Netty Project | Netty 4.1.39.Final released | 部落格 |
| nghttp2 | nghttp2 v1.39.2 Release Notes | Software Release |
| Nginx | NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities | 部落格 |
| Node.js | August 2019 Security Releases | 部落格 |
| Swift | About the security content of SwiftNIO HTTP/2 1.5.0 | Advisory |
Customers using these software applications are encouraged to update to the patched versions as soon as possible.
找出受影響的系統
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
取得更多資訊
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
Get a free 60-day trial of Tenable.io .
Satnam Narang
安全應變資深研發工程師
Satnam 於 2018 年加入 Tenable 公司。他在業界擁有 15 年的豐富經驗 (M86 Security 和賽門鐵克)。 他對於防網路釣魚工作小組 (Anti-Phishing Working Group) 多所貢獻,協助美國國家網路安全聯盟 (National Cyber Security Alliance) 開發一份社群網路指南 (Social Networking Guide),並且揭露了一個 Twitter 上的龐大垃圾郵件 botnet,同時也是第一個提報 Tinder 上垃圾郵件機器人的人。他還曾出現在 NBC 夜線新聞、Entertainment Tonight、Bloomberg West 以及 Why Oh Why 播客中。
他在工作之餘的興趣:Satnam 喜歡寫詩和創作嘻哈音樂。他喜歡參加現場音樂表演、和他 3 個姪女做伴、足球、藍球、看寶萊塢電影、玩音樂以及 Grogu (尤達寶寶)。
相關文章
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on...
Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software
Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!...
Cybersecurity Snapshot: Want to Deploy AI Securely? New Industry Group Will Compile AI Safety Best Practices
A group that includes the Cloud Security Alliance, CISA and Google is working to compile a comprehensive collection of best practices for secure AI use. Meanwhile, check out a draft of secure configuration recommendations for the Google Workspace suite. Plus, MITRE plans to release a threat model fo...
- Threat hunting
- Threat Intelligence
- Vulnerability Management
- Vulnerability Scanning