Posts

Multiple HTTP/2 Implementation Vulnerabilities

What is HTTP/2?
An HTTP/2 is an application-layer protocol running on top of a TCP connection. HTTP/2 is a major revision of the HTTP protocol.

HTTP/1.0 allowed only one request to be outstanding at a time on a given TCP connection. HTTP/1.1 added request pipelining, but this only partially addressed request concurrency and still suffers from head-of-line blocking. Therefore, HTTP/1.0 and HTTP/1.1 clients that need to make many requests use multiple connections to a server in order to achieve concurrency and this result in excessive latency.

HTTP/2 improves upon the widely used HTTP/1.1 standard by providing data compression of HTTP headers, pipelining of requests, fixing the head-of-line blocking and multiplexing multiple requests over a single TCP connection. It also allows prioritization of requests, letting more important requests complete more quickly, further improving performance and reduces latency.

HTTP/2 Connection
Each endpoint is required to send a connection preface data to establish the HTTP/2 connection. The client connection begins with a 24-byte magic preface: “PRI * HTTP/2.0\x0d\x0a\x0d\x0aSM\x0d\x0a\x0d\x0a”. Once the HTTP/2 connection is established, endpoints can begin exchanging frames. All HTTP/2 frames begin with a fixed 9-byte header followed by a variable-length payload.

HTTP/2 Frame:

Length: The length of the frame payload

Type: The 8-bit type of the frame ((e.g. 0x0 DATA, 0x1 HEADERS, 0x5 PUSH_PROMISE, 0x6 PING)

Flags: An 8-bit field reserved for boolean flags specific to the frame type.

R: A reserved 1-bit field.

Stream Identifier: A stream identifier to which this frame belong, expressed as an unsigned 31-bit integer.

HTTP/2 Vulnerabilities:

Netflix has discovered several resource exhaustion vulnerabilities affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch Denial of Service attacks against servers that support HTTP/2 communication.

CVE-2019-9511 : Data Dribble
The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9512 : Ping Flood
The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 : Resource Loop
The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.

CVE-2019-9514 : Reset Flood
The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9515 : Settings Flood
The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9516 : 0-Length Headers Leak
The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.

CVE-2019-9517 : Internal Data Buffering
The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9518 : Empty Frame Flooding
The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.

Remediation:

Affected vendors are Microsoft, Akamai, Amazon, Apache, Apple, Cloudflare, Envoy, Facebook, Go Programming Language, gRPC, Netty, nghttp2, nginx, Node.js, Synology, Twisted & Ubuntu.

Please find the matrix of affected products and vulnerabilities here.

Apply the latest updates from the HTTP/2 implementers. 

To be fully protected from the vulnerabilities, Microsoft recommends configuring the server to limit the number of HTTP/2 packets accepted. Refer to the respective vendor advisory regarding these vulnerabilities.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14362 Windows HTTP/2 Server DoS (AUG 19)
IPS: 14366 Windows HTTP/2 Server DoS (AUG 19) 2
IPS: 14375 Windows HTTP/2 Server DoS 4 (AUG 19)
IPS: 14373 HTTP/2 SERVER Informational 
IPS: 14374 Windows HTTP/2 PING Informational

SonicWall Capture Labs Threat Research team continue to monitor any attempts to exploit the recently patched http/2 vulnerabilities.

 

Microsoft Security Bulletin Coverage for August 2019

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of August 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0714 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0715 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0716 Windows Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0717 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0718 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0720 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-0723 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-0736 Windows DHCP Client Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-0965 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1030 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1057 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1078 Microsoft Graphics Component Information Disclosure Vulnerability
ASPY 5601:Malformed-File exe.MP.91

CVE-2019-1131 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1133 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1139 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14344:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 3

CVE-2019-1140 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14345:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 4

CVE-2019-1141 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14346:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 5

CVE-2019-1143 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1144 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1145 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1146 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1147 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1148 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1149 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1150 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1151 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1152 Microsoft Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1153 Microsoft Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1154 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1155 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1156 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1157 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1158 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1159 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5608:Malformed-File exe.MP.97

CVE-2019-1160 Azure DevOps Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1161 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1162 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1163 Windows File Signature Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1164 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5602:Malformed-File exe.MP.92

CVE-2019-1168 Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1169 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1170 Windows NTFS Elevation of Privilege Vulnerability
ASPY 5603:Malformed-File exe.MP.93

CVE-2019-1171 SymCrypt Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1172 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1173 Windows Elevation of Privilege Vulnerability
ASPY 5604:Malformed-File exe.MP.94

CVE-2019-1174 Windows Elevation of Privilege Vulnerability
ASPY 5605:Malformed-File exe.MP.95

CVE-2019-1175 Windows Elevation of Privilege Vulnerability
ASPY 5606:Malformed-File exe.MP.96

CVE-2019-1176 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1177 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1178 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1179 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1180 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1181 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1182 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1183 Windows VBScript Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1184 Windows Elevation of Privilege Vulnerability
ASPY 5607:Malformed-File dll.MP.5

CVE-2019-1185 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1186 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1187 XmlLite Runtime Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1188 LNK Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1190 Windows Image Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1192 Microsoft Browsers Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2019-1193 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1194 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2019-1195 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14340:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1196 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14341:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 2

CVE-2019-1197 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14340:Chakra Scripting Engine Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1198 Microsoft Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1199 Microsoft Outlook Memory Corruption Vulnerability
IPS 14342:Microsoft Outlook Memory Corruption Vulnerability (AUG 19) 1

CVE-2019-1200 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1201 Microsoft Word Remote Code Execution Vulnerability
ASPY 5600:Malformed-File doc.MP.47

CVE-2019-1202 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1203 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.

CVE-2019-1204 Microsoft Outlook Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1205 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1206 Windows DHCP Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1211 Git for Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-1212 Windows DHCP Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1213 Windows DHCP Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1218 Outlook iOS Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2019-1222 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1223 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-1224 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1225 Remote Desktop Protocol Server Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1226 Remote Desktop Services Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2019-1227 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1228 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2019-1229 Dynamics On-Premise Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability
There are no known exploits in the wild.

CVE-2019-9511 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9512 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9513 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9514 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.

CVE-2019-9518 HTTP/2 Server Denial of Service Vulnerability
There are no known exploits in the wild.