A critical denial-of-service (DoS) vulnerability in Facebook’s open-source implementation of the transport layer security (TLS) 1.3 protocol could cause an infinite loop – thus disrupting any web service that relies on it.
Kevin Backhouse, a researcher at Semmle, discovered the bug in the project (CVE-2019-3560), which is called Facebook Fizz. Fizz is used on most of Facebook’s own infrastructure to facilitate secure communications with web services using TLS 1.3 (i.e., https instead of http), but it was also made public last August for use by other organizations.
The vulnerability is “relatively easy to trigger by an unauthenticated remote attacker,” according to a Semmle advisory posted this week, by sending a malicious message via TCP to any server that uses Fizz. It stems from an integer overflow in a 16-bit unsigned addition, leading to an infinite loop.
“Fizz is written in a modern C++ style, so it’s unlikely to have something like a buffer overflow, which is so common in older C projects,” Backhouse said. “That’s why I [searched] for integer overflows instead. The overflow I found causes the code to enter an infinite loop, which could be used to launch a denial of service attack.”
As for the impact of an exploit, it could make the server unresponsive to other clients – and it could have a cascading effect.
“The size of the [malicious] message [sent to the service] is just over 64KB, so this attack is extremely cheap for the attacker, but crippling for the server,” he explained in a technical writeup, adding that he is holding off on providing full details of how to exploit the problem. “To illustrate this, a single computer with an unexceptional domestic-grade internet connection (1Mbps upload speed) could send two of these messages per second. Since each message knocks out one CPU core, it would only take a small botnet to quickly debilitate an entire data center.”
The good news is that an exploit enables an attacker to disrupt the service, but not to gain unauthorized access to user data or content.
A patch is available and has been included in Fizz version 2019.02.25.00 (and later), and Facebook has fixed the flaw in its own implementations of Fizz.
“All other web applications that rely on Fizz are advised to upgrade their Fizz libraries as a matter of urgency,” researchers said.
Backhouse said that the fix for the vulnerability is simple: “use a larger type than uint16_t to compute the addition, so that an integer overflow is impossible.”
Interested in vulnerability research? Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.