LiteSpeed Addresses HTTP/2 DoS Advisories

Summary

On Tuesday, August 13th, 2019 a family of eight HTTP/2 security advisories was disclosed publicly.  We examined our software and discovered that the flagship LiteSpeed Web Server and LiteSpeed ADC products are invulnerable to seven of the eight potential attacks.  Even the one troublesome attack cannot cause any service outage: all it can do is waste computer resources.  Today, August 15th, 2019, LiteSpeed Technologies releases updated server software that addresses all of these security vulnerabilities:

Note: The fixes have also been added to LSWS 5.3.8 in build 7 now.

Timeline

  • Spring 2019: Netflix finds vulnerabilities in several HTTP/2 implementations.
  • Tue Aug 13, 1pm EDT: HTTP/2 security advisories are disclosed.
  • Tue Aug 13, 3 pm EDT: LiteSpeed begins tests to see whether its software is vulnerable.
  • Tue Aug 13, 10 pm EDT: Tests are completed and plan of action is agreed upon.
  • Wed Aug 14, 1 am EDT: Software fixes are complete.
  • Wed Aug 14: Fixes are ported to all our products and verification tests are performed.
  • Thu Aug 15, 5pm EDT: Security updates for LiteSpeed software are available.

Background

As early as May of this year, security researchers at Netflix examined several HTTP/2 implementations.  What they discovered were several avenues for potential DoS attacks.  Netflix teamed up with Google to inform HTTP/2 software vendors of potential vulnerabilities and to coordinate a synchronized software update rollout.  No one alerted us, however, and we learned about these vulnerabilities two days ago from the public announcement. Meanwhile, other vendors have had the luxury to spend months to fix their software.

 

LiteSpeed HTTP/2 Implementation Holds Up Well

The good news is that LiteSpeed software does well in the face of these attacks.  Only one of the potential vulnerabilities, CVE-2019-9516 (a.k.a. Zero-Length Headers Leak) is present in LiteSpeed Web Server and ADC.  A malicious client that sends a stream of zero-length header names and values causes the server to waste CPU cycles and to keep allocating memory for the duration of the connection.  In our testing, even when under such an attack, the server continued to process other connections with no perceptible performance impact. The offending connections were closed after 60 seconds, releasing excess memory.  Nevertheless, even though this attack cannot cause a service outage, the wasted CPU cycles is something we won’t accept.

 

Advisories in Detail

Below, we list the individual security advisories and their potential impact on our software — LSWS, ADC, and OpenLiteSpeed — before today’s new releases.  The new releases mitigate all these attack scenarios.

CVE-2019-9511 “Data Dribble”

LiteSpeed software is not affected by this attack.

CVE-2019-9512 “Ping Flood”

Under this attack, LSWS and ADC use slightly more memory than usual and use 100% CPU, but continue to serve other traffic.  The attacking connection is closed in 20 seconds.

OpenLiteSpeed enters a busy loop and cannot serve other traffic.

CVE-2019-9513 “Resource Loop”

LiteSpeed HTTP/2 implementation uses an efficient priority mechanism (not a tree) and thus pays no price when priorities change.

CVE-2019-9514 “Reset Flood”

LiteSpeed software is not affected by this attack.

CVE-2019-9515 “Settings Flood”

Same as Ping Flood above: LSWS and ADC cope well while OpenLiteSpeed is effectively DoSed.

CVE-2019-9516 “0-Length Headers Leak”

LSWS, ADC, and OpenLiteSpeed keep on allocating memory and using CPU in this attack scenario, but are still able to serve other traffic.  The attacking connection is closed in 60 seconds.

The damage is limited to wasting computer resources: CPU and memory.  The amount of memory the server allocates is proportional to the volume of incoming traffic.  Because the server closes the malicious connections after a period of time and releases memory, this attack cannot take down LSWS or ADC.

CVE-2019-9517 “Internal Data Buffering”

LiteSpeed software is not affected by this attack.

CVE-2019-9518 “Empty Frames Flood”

This attack does not affect LSWS and ADC: no memory increase and no impact to service.  More CPU cycles are used to process frames.

OpenLiteSpeed gets stuck in a loop and cannot serve other traffic.

 

Mitigation

The updates introduce several heuristics to detect an abnormally high frequency of control or unusual (e.g. empty) frames.  Offending connections are closed forthwith.

When outgoing buffer is under pressure, the processing of incoming frames is suspended, preventing allocating excessive amounts of memory to keep up with incoming data.  This feedback mechanism is a natural and effective defense against potential future DoS attacks.

 

Looking Ahead

We were surprised not to have been notified of the impending security advisories beforehand.  Not only were we the HTTP/2 pioneer — at one point powering 96.5% of all websites that used HTTP/2 — but we also offer the best HTTP/2 performance in the world, beating the next fastest implementation by a factor of 8.  (Head over to https://http2benchmark.org/ to see for yourself.)

We have reached out to relevant parties to ensure that LiteSpeed Technologies is kept in the loop the next time around.

In all, it was two busy days.  We are proud of the limited impact these security advisories had on our software and of delivering security updates in such a short time.



Related Posts


Comments

%d bloggers like this: