4 Major Vulnerabilities Discovered In HTTP/2 Protocol

...

Client computing is increasingly providing a back door into the enterprise for the compromise and

Web administrators take note: The vulnerabilities Imperva discovered in the HTTP/2 protocol were reported to vendors, and patched versions are already available.

Cyber-security specialist Imperva released its latest "Hacker Intelligence Initiative (HII) Report" this week, which highlights the four major vulnerabilities in HTTP/2 -- the new version of the HTTP protocol that serves as one of the main building blocks of the internet.

In the research, the company found four different attack vectors, and was able to find an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol.

The four different attack vectors Imperva discovered are Slow Read, HPACK (Compression), Dependency DoS, and Stream abuse.

The team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.

These include two that are similar to well known and widely exploited vulnerabilities in HTTP/1.x.

"All the vulnerabilities we discovered were reported to the vendors and patched versions are already available," Itsik Mantin, director of security research for Imperva, told InformationWeek. "In order to stay safe, web administrators need to make sure to use a version of their server that has this vulnerability fixed."

Mantin explained in order to win this patching race, application providers can either make sure to continuously get patches for the servers and all the third-party libraries they are using and install them in time, or use a web application firewall with virtual patching capabilities to provide ongoing protection to their applications.

He warned that, in addition to a direct financial loss, affected businesses should also take into account reputational damage, customer attrition, and legal pursuits that may have an even higher financial cost.

"This is especially concerning when it comes to web attacks, as the attacker can run the attack on hundreds or thousands of vulnerable applications from any point of the globe and without leaving his couch," Mantin said.

The HTTP/2 protocol was designed to be the next-generation protocol for web applications. Unlike the stopgap HTTP/1.x, the new protocol displays a complete technical makeover and introduces new significant mechanisms, but with its broader scope extends the attack surface and introduces new vulnerabilities into servers and clients.

The Imperva report noted it is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

[Read how many companies were vulnerable to ransomware in 2015.]

While the designers of HTTP/2 made a "significant effort" to identify and address security risks involved in the new protocol through design choices, the survey noted that implementations of HTTP/2 servers do not always follow these guidelines.

Imperva tested five popular servers and found all to be vulnerable to at least one attack, leading to the conclusion that other implementations of the protocol could suffer from these vulnerabilities, especially those that rely on external HTTP/2 libraries.

The report also cautions that many open source software code vendors share the same code and are therefore likely to have the same vulnerabilities.

This indicates vendors need to cooperate to mitigate vulnerabilities that make the work of patching things ever more lengthy and complicated.

"This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited," the report concluded. "The solution lies with an external component in the network that aims to reduce these risks."

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    Many Businesses Using AI Without Realizing It

    They are empowered Businesses see AI as a future investment, even though most organizations are actually already using it, a study finds.While only about a quarter of surveyed business executives say they're currently using artificial intelligence in the workplace to automate manual tasks, a vast majority of those who said they weren't using AI actually were without realizing it.
  • 5300c769af79e

    Google Adding Video Messaging to Hangouts for Android

    As reported by Android Police and 9to5Google, the feature, which is already on iOS, is not yet on Google Play, but an APK is available to download.Those with early access described video messaging as "just like sending a picture": Tap to open the camera, press the red button to record, then choose a recipient.
  • 5300c769af79e

    LinkedIn Ranks Best Companies At Attracting, Retaining Talent

    Attend this video panel and you will hear industry experts engage in a lively conversation on the Which companies are the best at attracting and retaining talent?According to a new list by careers social networking site LinkedIn, these three companies are the best in the US in terms of attracting and keeping top talent.
  • 5300c769af79e

    Report: Google to Launch Commuter-Focused Rideshare Service Powered by Waze

    Should all go well with the existing pilot, Google will open the Waze-powered service up to all nearby residents.To help provide an understanding of how this service differs from Uber, the Waze service matches drivers up with riders who are all headed in the same direction.