A New Protocol Vulnerability Will Haunt the Web for Years
Dan Lorenc, a longtime open source software researcher and CEO of the software supply chain security company ChainGuard, points out that the situation is an example of a time when the availability of open source and the prevalence of code reuse (versus always building everything from scratch) is an advantage, because many web servers have likely copied their HTTP/2 implementation from somewhere else rather than reinvent the wheel. If these projects are maintained, they will develop Rapid Reset fixes that can proliferate out to users.
It will take years to reach full adoption of these patches, though, and there will still be some services that did their own HTTP/2 implementation from scratch and don’t have a patch coming from anywhere else.
“It’s important to note that the big tech companies discovered this while it was being actively exploited,” Lorenc says. “It can be used to take a service down like operational tech or industrial control. That’s scary.”
Though the string of recent DDoS attacks on Google, Cloudflare, Microsoft, and Amazon raised the alarm for being so large, the companies were ultimately able to repel the attacks, which didn’t cause lasting damage. But just by carrying out the assaults, hackers revealed the existence of the protocol vulnerability and how it could be exploited—a cause and effect known in the security community as “burning a zero day.” Even though the patching process will take time, and some web servers will remain vulnerable long term, the internet is safer now than if attackers hadn’t shown their cards by exploiting the flaw.
“A bug like this in the standard is unusual, it’s a novel vulnerability and was a valuable finding for whoever first discovered it,” Lorenc says. “They could have saved it or even probably sold it for a lot of money. I’m always going to be curious about the mystery of why someone decided to burn this one.”
Resource: https://www.wired.com/story/http-2-rapid-reset-flaw/