{"vuid":"VU#605641","idnumber":"605641","name":"HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion","keywords":["HTTP/2","DOS"],"overview":"Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks.","clean_desc":"The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.","impact":"These attacks can consume excessive system resources, potentially enough that a single end-system could cause issues on multiple servers that may lead to Distributed DoS (DDoS) attacks.","resolution":"Apply an update\nInstall the latest updates from HTTP/2 implementers.","workarounds":"","sysaffected":"Please see this matrix of affected products and vulnerabilities.","thanks":"Thanks to Jonathan Looney of Netflix for reporting CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,and CVE-2019-9517. Thanks to Piotr Sikora of Google,Envoy Security Team,for reporting CVE-2019-9518.","author":"This document was written by Madison Oliver.","public":["https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752","https://tools.ietf.org/html/rfc7540","https://tools.ietf.org/html/rfc7541","https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md","https://blog.cloudflare.com/on-the-recent-http-2-dos-attacks/","https://blogs.akamai.com/sitr/2019/08/http2-vulnerabilities.html"],"cveids":["CVE-2019-9511","CVE-2019-9512","CVE-2019-9513","CVE-2019-9514","CVE-2019-9515","CVE-2019-9516","CVE-2019-9517","CVE-2019-9518"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2019-06-05T19:18:59Z","publicdate":"2019-08-13T00:00:00Z","datefirstpublished":"2019-08-13T17:43:09Z","dateupdated":"2019-11-19T21:13:43Z","revision":48,"vrda_d1_directreport":"1","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"--","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"LM","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"H","cvss_basescore":"5","cvss_basevector":"AV:N/AC:L/Au:N/C:N/I:--/A:P","cvss_temporalscore":"3.9","cvss_environmentalscore":"6.2823674913204","cvss_environmentalvector":"CDP:LM/TD:H/CR:ND/IR:ND/AR:H","metric":0.0,"vulnote":null}