Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <AE6B099E-CAAC-4258-9640-F024447258D7@lukasa.co.uk>
Date: Thu, 4 Aug 2016 10:16:53 +0100
From: Cory Benfield <cory@...asa.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-6580, Python Priority: DoS via Unlimited Stream Insertion

DoS via Unlimited Stream Insertion
==================================

Hyper Project security advisory, August 4th 2016.

Vulnerability
-------------

A HTTP/2 implementation built using the priority library could be targetted by
a malicious peer by having that peer assign priority information for every
possible HTTP/2 stream ID. The priority tree would happily continue to store
the priority information for each stream, and would therefore allocate
unbounded amounts of memory. Attempting to actually *use* a tree like this
would also cause extremely high CPU usage to maintain the tree.

We are not aware of any active exploits of this vulnerability, but as this
class of attack was publicly described in this report[1], users should assume
that they are at imminent risk of this kind of attack.

Info
----

This issue has been given the name CVE-2016-6580.

Affected Versions
-----------------

This issue affects all versions of the priority library prior to 1.2.0.

The Solution
------------

In version 1.2.0, the priority library limits the maximum number of streams
that can be inserted into the tree. By default this limit is 1000, but it is
user-configurable.

If it is necessary to backport a patch, the patch can be found in
this GitHub pull request[2].

Recommendations
---------------

We suggest you take the following actions immediately, in order of preference:

1. Update priority to 1.2.0 immediately, and consider revising the maximum
   number of streams downward to a suitable value for your application.
2. Backport the patch made available on GitHub.
3. Manually enforce a limit on the number of priority settings you'll allow at
   once.

Timeline
--------

This class of vulnerability was publicly reported in this report[1] on the
3rd of August. We requested a CVE ID from Mitre the same day.

Priority 1.2.0 was released on the 4th of August, at the same time as the
publication of this advisory.


Thanks,

Cory Benfield, on behalf of the Python Hyper project.


[1]: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
[2]: https://github.com/python-hyper/priority/pull/23

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.