Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <A341696A-69DE-484C-93CB-746F1B01A924@lukasa.co.uk>
Date: Thu, 4 Aug 2016 10:18:55 +0100
From: Cory Benfield <cory@...asa.co.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-6581, Python HPACK and old Python Hyper releases: HPACK Bomb

HPACK Bomb
==========

Hyper Project security advisory, August 4th 2016.

Vulnerability
-------------

A HTTP/2 implementation built using the priority library could be targetted for
a denial of service attack based on HPACK, specifically a so-called "HPACK
Bomb" attack.

This attack occurs when an attacker inserts a header field that is exactly the
size of the HPACK dynamic header table into the dynamic header table. The
attacker can then send a header block that is simply repeated requests to
expand that field in the dynamic table. This can lead to a gigantic compression
ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of
data on the target machine.

It only takes a few such header blocks before the attacker has forced the
target to allocate gigabytes of memory, which will take the process down. This
requires relatively few resources on the part of the attacker.

While we are not aware of any attacker actively exploiting this vulnerability,
it has been public disclosed in this report[1], and so users should assume that
they are likely to be targetted by such an attack.

Info
----

This issue has been given the name CVE-2016-6581.

Affected Versions
-----------------

This issue affects all versions of the HPACK library prior to 2.3.0. It also
affects versions of the Hyper client library earlier than 0.6.0, which bundled
a copy of the HPACK library.

The Solution
------------

In version 2.3.0, the HPACK library limits the maximum decompressed size of the
header block. It does so by essentially adding support for the HTTP/2 setting
``SETTINGS_MAX_HEADER_LIST_SIZE``. This value defaults to 64kB, but is
user-configurable.

If it is necessary to backport a patch, the patch can be found in
this GitHub pull request[2].

Recommendations
---------------

We suggest you take the following actions immediately, in order of preference:

1. Update HPACK to 2.3.0 immediately.
2. Backport the patch made available on GitHub.
3. Substantially decrease the maximum size of the compressed header block your
   application will accept, or alternatively ensure that each decompressed
   header block is freed before your application processes the next one.

If you have a copy of the Hyper client library, we recommend taking the
following actions, in order of preference:

1. Update hyper to any version later than 0.6.0
2. Backport the patch made available on GitHub.

Timeline
--------

This class of vulnerability was publicly reported in this report[1] on the
3rd of August. We requested a CVE ID from Mitre the same day.

HPACK 2.3.0 was released on the 4th of August, at the same time as the
publication of this advisory.


Thanks,

Cory Benfield, on behalf of the Python Hyper project.


[1]: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
[2]: https://github.com/python-hyper/hpack/pull/56

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.