Researchers in cybersecurity have uncovered a newly identified remote denial-of-service (DoS) vulnerability impacting leading web servers such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. This vulnerability, termed the HTTP/2 Bomb, presents significant security concerns for these platforms.
Understanding the HTTP/2 Bomb Exploit
According to Calif, the company that identified the flaw, the HTTP/2 Bomb vulnerability is present in the default HTTP/2 configurations of the affected servers. This exploit was discovered using OpenAI Codex, which integrated two well-documented techniques: a compression bomb and a Slowloris-style hold. The attack leverages HPACK, the header compression scheme of HTTP/2, to overburden server resources.
HPACK uses Huffman encoding to compress metadata, reducing header sizes by an average of 30%. Despite its efficiency, it remains vulnerable to certain attacks, including the newly identified HTTP/2 Bomb, which combines elements from previous vulnerabilities like HPACK Bomb (CVE-2016-6581) and other denial-of-service flaws.
The Mechanics of the Attack
The HTTP/2 Bomb exploits the server’s memory management by repeatedly sending minimal headers that, due to server allocation processes, consume excessive resources. This differs from traditional methods that rely on inserting large data values into server tables. Instead, the HTTP/2 Bomb’s amplification stems from the server’s memory bookkeeping, bypassing typical size limits because the actual data to decode is minimal.
In practice, this can allow an attacker with a typical home internet connection to incapacitate a vulnerable server swiftly. For instance, a single client could potentially seize up to 32GB of memory on Apache HTTPD and Envoy within seconds.
Mitigation Strategies and Future Outlook
To address this critical vulnerability, updates and configurations are recommended. For NGINX, upgrading to version 1.29.8+ and utilizing the max_headers directive is advised. Apache HTTPD users should update to mod_http2 v2.0.41 or disable HTTP/2 if upgrading is not possible. Unfortunately, as of now, no patches are available for Microsoft IIS, Envoy, and Cloudflare Pingora.
The broader lesson from this vulnerability highlights a gap in the HTTP/2 specification, which focuses on amplification ratios without considering persistent memory allocation risks. This oversight allows attackers to maintain open connections with minimal cost, thereby keeping server resources pinned indefinitely.
As organizations work to counteract these vulnerabilities, the need for robust security protocols and timely updates becomes increasingly critical to safeguard web infrastructure against evolving threats.
