Everyone loves fast, secure websites. Google’s SPDY and it’s successor HTTP/2 was seen as a big step towards that goal.

As of Aug 6th 2016, 9.1% of websites use HTTP/2, and the trend is seeing a steep rise. All looked good.

The rapid adoption of HTTP/2 is partly due to the improvement in security.

On Aug 3rd, this smooth ride suffered a bit of a setback. At the annual Black Hat conference, 4 huge HTTP/2 vulnerabilities were disclosed, that made DoS attacks possible against HTTP/2 servers.

However, all is not lost. These vulnerabilities can be mitigated. Here’s a list of HTTP/2 vulnerabilities and how it can be fixed:

1. Slow Read Vulnerability (CVE-2016-1546)

Attackers can exploit this vulnerability to occupy all available connections, and deny access to legitimate visitors. This is a variant of “Slow Loris” attacks once prevalent on the internet.

All top web servers like Apache, IIS and Nginx were found to be vulnerable. Here’s how to fix them:

Apache

Apache implements HTTP/2 using a module called mod_http2. This module is vulnerable in Apache version 2.4.17 and 2.4.18. So, if you have any of these versions, upgrade to a later version, such as 2.4.20.

If you are unable to upgrade, you can mitigate it using mod_reqtimeout. In 2.4.17 and 2.4.18, this module is included by default. Set the following directives in your httpd.conf:

<IfModule mod_reqtimeout.c>
 RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

IIS

HTTP/2 is implemented only in IIS 10, which is shipped with Windows Server 2016 and Windows 10. So, unless you are using the early Server 2016 Technical Preview or Windows 10 for production websites, you are safe.

Nginx

Nginx v1.9.9 was found to be vulnerable to Slow Read on “GET” requests. A patch was released for this on v1.9.12. So, if you are using an older version of Nginx, perform an update ASAP.

In case you are unable to upgrade right away, you can minimize the impact of an attack by limiting the rate of requests and total number of connections from a single IP. For eg:

limit_conn perip 10;
limit_req zone=perip burst=5 nodelay;

2. HPACK Bomb Vulnerability (CVE-2016-1544)

This vulnerability can be exploited by sending in a connection header, and opening a lot of data streams under the same initial header. Such an attack quickly consumes the whole server memory, and results in a server crash.

This vulnerability was detected in Nghttpd (aka Nghttp2), an “experimental” HTTP/2 server.

Nghttpd

A fix for this vulnerability was released on Feb 11. If you are running Nghttpd v1.7.0 or older, you can fix this vulnerability by upgrading to v1.7.1 or later.

3. Dependency Cycle Attack (CVE-2015-8659)

An attacker can exploit this vulnerability to trick the server into processing an infinite loop of dependencies. This leads to an exhaustion of server resources, and eventually a server crash.

This vulnerability was originally seen in Nghttpd, and since it is used in mod_http2 of Apache, Apache is also deemed vulnerable.

Nghttpd

This issue has been in Nghttp2 v 1.6.0 as part of another bug (CVE-2015-8659). So, in case you’re using the old version, upgrade to the latest version (1.13.0).

Apache

Apache version 2.4.18 was found to be vulnerable. So, the best solution is to upgrade to a later version, such as 2.4.20.

4. Stream Multiplexing Abuse (CVE-2016-0150)

Using this vulnerability, attackers can send in multiple data streams in a single connection (it should be only one data stream per connection). At best, this can result in a server crash, and at worst, it can lead to arbitrary code execution.

The only major web server found to have this vulnerability is IIS.

IIS

HTTP/2 is implemented only in IIS 10, which is shipped with Windows Server 2016 and Windows 10. So, unless you are using the early Server 2016 Technical Preview or Windows 10 for production websites, you are safe.

Microsoft has already patched this for Windows 10.

In short..

HTTP/2 is the successor of the popular SPDY protocol, and is gaining rapid popularity. However, its early implementations in popular web servers like Apache, Nginx and IIS is found to have vulnerabilities. Today we’ve reviewed the 4 vulnerabilities disclosed at Black Hat 2016, and how to fix them.

Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.