HTTP/2 has four huge security vulnerabilities
The HTTP/2 standard was approved some time ago, but it is yet to be widely adopted. Before the standard can become widespread, however, there are four serious vulnerabilities that need to be addressed.
The high-profile issues were revealed at Black Hat USA 2016 by Imperva researchers. They found that exploits similar to those that work on HTTP/1.x also work on the HTTP/2 protocol. The problems specifically affect server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2, but it is likely that other implementations are also at risk.
Despite the fact that HTTP/2 has only been implemented on under 10 percent of websites, uptake rates are increasing, so any issues that are present become ever more important. The four vulnerabilities found by researchers do now have patches available, but the key is to make sure these fixes are installed.
The vulnerabilities are:
- Slow Read -- The attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. It is worth noting that despite Slow Read attacks being well-studied in the HTTP/1.x ecosystem, they are still effective – this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
- HPACK Bomb -- This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.
- Dependency Cycle Attack -- The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
- Stream Multiplexing Abuse -- The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.
Amichai Shulman, co-founder and CTO of Imperva warns that: "As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats."