loader gif

Millions of web servers exposed to DoS attacks due to new HTTP/2 flaws

Millions of web servers exposed to DoS attacks due to new HTTP/2 flaws
  • Around 40% of all the websites on the internet could be vulnerable to DoS attacks.
  • Companies such as Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu may be affected by these vulnerabilities.

The widely used HTTP/2 protocol for web servers contains several vulnerabilities that could lead to Denial of Service (DoS) attacks.

What is the matter?

The widely used HTTP/2 protocol for web servers contains a set of eight vulnerabilities that could lead to DoS attacks. Unpatched web servers running multiple implementations of the HTTP/2 protocol could be compromised in this way. Around 40% of websites on the Internet which support HTTP/2 communication could be vulnerable to DoS attacks.

DoS attacks can cause servers to become unresponsive and deny visitors access to web pages, thereby crippling crucial web services.

Vulnerability variants

Security researcher Jonathan Looney of Netflix discovered seven of the flaws whereas Piotr Sikora of Google found the eighth flaw. The eight flaws are tracked as:

  • CVE-2019-9511 (Data Dribble)
  • CVE-2019-9512 (Ping Flood)
  • CVE-2019-9513 (Resource Loop)
  • CVE-2019-9514 (Reset Flood)
  • CVE-2019-9515 (Settings Flood)
  • CVE-2019-9516 (0-Length Headers Leak)
  • CVE-2019-9517 (Internal Data Buffering)
  • CVE-2019-9518 (Empty Frames Flood)

Some of these flaws can also be exploite remotely by attackers whereas a few of these could impact multiple servers from a single end-system. And the rest of the flaws could be used for DDoS attacks.

Netflix stated in an advisory that all the attack vectors are similar variants of the same exploit wherein a client requests a response from an unpatched server and then refuses to read it.

What is the impact?

An alert from the CERT Coordination Center highlighted many large companies which may be affected by these DoS vulnerabilities.

The list includes the likes of Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu.

Worth noting

Many of the affected companies have already patched their systems. Cloudflare fixed seven of the vulnerabilities impacting its Nginx servers used for HTTP/2 communication.

"There are 6 different potential vulnerabilities here and we are monitoring for all of them. We have detected and mitigated a handful of attacks but nothing widespread yet," said Cloudflare, BleepingComputer reported.

Microsoft, Apple, Netflix, and other companies have also taken steps to patch their systems.

loader gif