Web servers exposed to DoS attacks due to new HTTP/2 flaws

Cybersecurity researchers say the widely used HTTP/2 protocol for web servers contains several vulnerabilities that could lead to Denial of Service (DoS) attacks.

The widely used HTTP/2 protocol for web servers contains a set of eight vulnerabilities that could lead to DoS attacks, researchers say. Unpatched web servers running multiple implementations of the HTTP/2 protocol could be compromised in this way. Around 40% of websites on the Internet which support HTTP/2 communication could be vulnerable to DoS attacks.

DoS attacks can cause servers to become unresponsive and deny visitors access to web pages, thereby crippling crucial web services.

Security researcher Jonathan Looney of Netflix discovered seven of the flaws whereas Piotr Sikora of Google found the eighth flaw. The eight flaws have been tracked as: CVE-2019-9511 (Data Dribble), CVE-2019-9512 (Ping Flood), CVE-2019-9513 (Resource Loop), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood), CVE-2019-9516 (0-Length Headers Leak), CVE-2019-9517 (Internal Data Buffering) and CVE-2019-9518 (Empty Frames Flood).

Some of these flaws can also be exploited remotely by attackers whereas a few of these could impact multiple servers from a single end-system. And the rest of the flaws could be used for DDoS attacks.

Netflix stated in an advisory that all the attack vectors are similar variants of the same exploit wherein a client requests a response from an unpatched server and then refuses to read it.

An alert from the CERT Coordination Center highlighted many large companies which may be affected by these DoS vulnerabilities.

The list includes the likes of Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu.

Many of the affected companies have already patched their systems. Cloudflare fixed seven of the vulnerabilities impacting its Nginx servers used for HTTP/2 communication.

“There are 6 different potential vulnerabilities here and we are monitoring for all of them. We have detected and mitigated a handful of attacks but nothing widespread yet,” said Cloudflare, BleepingComputer reported.

Microsoft, Apple, Netflix, and other companies have also taken steps to patch their systems.