4 Major Vulnerabilities Discovered In HTTP/2 Protocol


Client computing is increasingly providing a back door into the enterprise for the compromise and

Web administrators take note: The vulnerabilities Imperva discovered in the HTTP/2 protocol were reported to vendors, and patched versions are already available.

Cyber-security specialist Imperva released its latest "Hacker Intelligence Initiative (HII) Report" this week, which highlights the four major vulnerabilities in HTTP/2 -- the new version of the HTTP protocol that serves as one of the main building blocks of the internet.

In the research, the company found four different attack vectors, and was able to find an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol.

The four different attack vectors Imperva discovered are Slow Read, HPACK (Compression), Dependency DoS, and Stream abuse.

The team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.

These include two that are similar to well known and widely exploited vulnerabilities in HTTP/1.x.

"All the vulnerabilities we discovered were reported to the vendors and patched versions are already available," Itsik Mantin, director of security research for Imperva, told InformationWeek. "In order to stay safe, web administrators need to make sure to use a version of their server that has this vulnerability fixed."

Mantin explained in order to win this patching race, application providers can either make sure to continuously get patches for the servers and all the third-party libraries they are using and install them in time, or use a web application firewall with virtual patching capabilities to provide ongoing protection to their applications.

He warned that, in addition to a direct financial loss, affected businesses should also take into account reputational damage, customer attrition, and legal pursuits that may have an even higher financial cost.

"This is especially concerning when it comes to web attacks, as the attacker can run the attack on hundreds or thousands of vulnerable applications from any point of the globe and without leaving his couch," Mantin said.

The HTTP/2 protocol was designed to be the next-generation protocol for web applications. Unlike the stopgap HTTP/1.x, the new protocol displays a complete technical makeover and introduces new significant mechanisms, but with its broader scope extends the attack surface and introduces new vulnerabilities into servers and clients.

The Imperva report noted it is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

[Read how many companies were vulnerable to ransomware in 2015.]

While the designers of HTTP/2 made a "significant effort" to identify and address security risks involved in the new protocol through design choices, the survey noted that implementations of HTTP/2 servers do not always follow these guidelines.

Imperva tested five popular servers and found all to be vulnerable to at least one attack, leading to the conclusion that other implementations of the protocol could suffer from these vulnerabilities, especially those that rely on external HTTP/2 libraries.

The report also cautions that many open source software code vendors share the same code and are therefore likely to have the same vulnerabilities.

This indicates vendors need to cooperate to mitigate vulnerabilities that make the work of patching things ever more lengthy and complicated.

"This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited," the report concluded. "The solution lies with an external component in the network that aims to reduce these risks."

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Google's WiFi Assistant Seems to be Rolling Out to Non-Project Fi Nexus Devices Today

    Project Fi’s exclusive WiFi Assistant feature that has allowed Nexus owners to automatically connect securely to open WiFi networks appears to be rolling out to non-Fi Nexus owners at the moment.With WiFi Assistant, assuming you toggle it on, your Nexus will connect to open WiFi networks that Google has deemed as secure and reliable.
  • 5300c769af79e

    Google Pushes Into India With Data-Saving Apps, More Wi-Fi

    During the second Google for India event, the company unveiled the data-saving YouTube Go app (pictured) and lighter versions of flagship products, but also tipped more options for activating public Wi-Fi and Hindi for Google Assistant.YouTube Go promises smooth video plays "across various connectivity situations," Caesar Sengupta, vice president of Google's Next Billion Users team, wrote in a blog post.
  • 5300c769af79e

    Salesforce Brings Lightning to Government Cloud

    It provides a modern, component-based platform and an intuitive user experience, as well as access to Salesforce's partner ecosystem, the company said.Introduced last year, Salesforce Lightning is essentially cloud-based CRM.
  • 5300c769af79e

    WhatsApp Rolls Out Video Calling to All

    All 1 billion-plus WhatsApp users around the world can now make video calls.Last month, reports tipped a beta program testing the ability to make video calls from within the app; screenshots showed that tapping the call button or contact card brings up a dialog with voice and video as options.