Recently, millions of web servers was exposed to DoS attacks due to new HTTP/2 flaws. Read on to know about it…
Recently, millions of web servers was exposed to DoS attacks due to new HTTP/2 flaws. Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.
The widely used HTTP/2 protocol for web servers contains a set of eight vulnerabilities that could lead to DoS attacks. Unpatched web servers running multiple implementations of the HTTP/2 protocol could be compromised in this way. Around 40% of websites on the Internet which support HTTP/2 communication could be vulnerable to DoS attacks. DoS attacks can cause servers to become unresponsive and deny visitors access to web pages, thereby crippling crucial web services.
Security researcher Jonathan Looney of Netflix discovered seven of the flaws whereas Piotr Sikora of Google found the eighth flaw. The eight flaws are tracked as
• CVE-2019-9511 (Data Dribble)
• CVE-2019-9512 (Ping Flood)
• CVE-2019-9513 (Resource Loop)
• CVE-2019-9514 (Reset Flood)
• CVE-2019-9515 (Settings Flood)
• CVE-2019-9516 (0-Length Headers Leak)
• CVE-2019-9517 (Internal Data Buffering)
• CVE-2019-9518 (Empty Frames Flood)
Some of these flaws can also be exploite remotely by attackers whereas a few of these could impact multiple servers from a single end-system. And the rest of the flaws could be used for DDoS attacks.
“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.
An alert from the CERT Coordination Center highlighted many large companies which may be affected by these DoS vulnerabilities. According to sources, around 40% of all the websites on the Internet could be vulnerable to DoS attacks. It is reported that organizations such as Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu may be affected by these vulnerabilities.
However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.
Several organizations affected by the vulnerabilities have already patched their systems. Cloudflare fixed seven of the vulnerabilities impacting its Nginx servers used for HTTP/2 communication.
“There are 6 different potential vulnerabilities here and we are monitoring for all of them. We have detected and mitigated a handful of attacks but nothing widespread yet,” said Cloudflare, BleepingComputer reported.
Microsoft, Apple, Netflix, and other organizations have also taken steps to patch their systems.